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Abstract 

We  address  a  fundamental  mismatch  between  the  combinations  of  dynamics  that  occur  in  com¬ 
plex  physical  systems  and  the  limited  kinds  of  dynamics  supported  in  analysis.  Modem  applica¬ 
tions  combine  communication,  computation,  and  control.  They  may  even  form  dynamic  networks, 
where  neither  structure  nor  dimension  stay  the  same  while  the  system  follows  mixed  discrete  and 
continuous  dynamics. 

We  provide  the  logical  foundations  for  closing  this  analytic  gap.  We  develop  a  system  model 
for  distributed  hybrid  systems  that  combines  quantified  differential  equations  with  quantified  as¬ 
signments  and  dynamic  dimensionality-changes.  We  introduce  a  dynamic  logic  for  verifying  dis¬ 
tributed  hybrid  systems  and  present  a  proof  calculus  for  it.  We  prove  that  this  calculus  is  a  sound 
and  complete  axiomatization  of  the  behavior  of  distributed  hybrid  systems  relative  to  quantified 
differential  equations.  In  our  calculus  we  have  proven  collision  freedom  in  distributed  car  control 
even  when  new  cars  may  appear  dynamically  on  the  road. 


1  Introduction 


Many  safety-critical  computers  are  embedded  in  cyber-physical  systems  like  cars  [13]  or  aircraft 
[7].  How  do  we  know  that  their  designs  will  work  as  intended?  Ensuring  correct  functioning  of 
cyber-physical  systems  is  among  the  most  challenging  and  most  important  problems  in  computer 
science,  mathematics,  and  engineering.  But  the  ability  to  analyze  and  understand  global  system 
behavior  is  the  key  to  designing  smart  and  reliable  control. 

Today,  there  is  a  fundamental  mismatch  between  the  actual  combinations  of  dynamics  that 
occur  in  applications  and  the  restricted  kinds  of  dynamics  supported  in  analysis.  Safety-critical 
systems  in  automotive,  aviation,  railway,  and  power  grids  combine  communication,  computation, 
and  control.  Combining  computation  and  control  leads  to  hybrid  systems  [11],  whose  behavior 
involves  both  discrete  and  continuous  dynamics  originating,  e.g.,  from  discrete  control  decisions 
and  differential  equations  of  movement.  Combining  communication  and  computation  leads  to 
distributed  systems  [1],  whose  dynamics  are  discrete  transitions  of  system  parts  that  communicate 
with  each  other.  They  may  form  dynamic  distributed  systems,  where  the  structure  of  the  system  is 
not  fixed  but  evolves  over  time  and  agents  may  appear  or  disappear  during  the  system  evolution. 

Combinations  of  all  three  aspects  (communica¬ 
tion,  computation,  and  control)  are  used  in  sophis¬ 
ticated  applications,  e.g.,  cooperative  distributed  car 
control  [13].  Neither  structure  nor  dimension  stay  the 
same,  because  new  cars  can  appear  on  the  street  or 
leave  it;  see  Fig.  1.  These  systems  are  (dynamic)  dis¬ 
tributed  hybrid  systems.  They  cannot  be  considered 
just  as  a  distributed  system  (because,  e.g.,  the  continuous  evolution  of  positions  and  velocities 
matters  for  collision  freedom  in  car  control)  nor  just  as  a  hybrid  system  (because  the  evolving 
system  structure  and  appearance  of  new  agents  can  make  an  otherwise  collision-free  system  un¬ 
safe).  It  is  generally  impossible  to  split  the  analysis  of  distributed  hybrid  systems  soundly  into  an 
analysis  of  a  distributed  system  (without  continuous  movement)  and  an  analysis  of  a  hybrid  sys¬ 
tem  (without  structural  changes  or  appearance),  because  all  kinds  of  dynamics  interact.  Just  like 
hybrid  systems  that  generally  cannot  be  analyzed  from  a  purely  discrete  or  a  purely  continuous 
perspective  [11,  17]. 

Distributed  hybrid  systems  have  been  considered  to  varying  degrees  in  modeling  languages 
[6,  21,  15,  16].  In  order  to  build  these  systems,  however,  scientists  and  engineers  also  need  analytic 
tools  to  understand  and  predict  their  behavior.  But  formal  verification  and  proof  techniques  do 
not  yet  support  the  required  combination  of  dynamical  effects — which  is  not  surprising  given  the 
numerous  sources  of  undecidability  for  distributed  hybrid  systems  verification. 

In  this  paper,  we  provide  the  logical  foundations  to  close  this  fundamental  analytic  gap.  We 
develop  quantified  hybrid  programs  (QHPs)  as  a  model  for  distributed  hybrid  systems,  which  com¬ 
bine  dynamical  effects  from  multiple  sources:  discrete  transitions,  continuous  evolution,  dimen¬ 
sion  changes,  and  structured  dynamics.  In  order  to  account  for  changes  in  the  dimension  and  for 
co-evolution  of  an  unbounded  and  evolving  number  of  participants,  we  generalize  the  notion  of 
states  from  assignments  for  primitive  system  variables  to  full  first-order  structures.  Function  term 
x(i )  may  denote  the  position  of  car  i  of  type  C,  f(i )  could  be  the  car  registered  by  communica- 


x(n)  y(n)^f^ 


a. 


x(3)v(3)  „z(4)  v(4) 


Figure  1:  Distributed  car  control. 
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tion  as  the  car  following  car  i,  and  the  term  d(i,  f(i ))  could  denote  the  minimum  safety  distance 
negotiated  between  car  i  and  its  follower.  The  values  of  all  these  terms  may  evolve  for  all  i  as 
time  progresses  according  to  interacting  laws  of  discrete  and  continuous  dynamics.  They  are  also 
affected  by  changing  the  system  dimension  as  new  cars  appear,  disappear,  or  by  reconfiguring  the 
system  structure  dynamically.  The  defining  characteristic  of  QHPs  is  that  they  allow  quantified 
hybrid  dynamics  in  which  variables  like  i  that  occur  in  function  arguments  of  the  system  dynamics 
are  quantified  over,  such  that  the  system  co-evolves,  e.g .,for  all  cars  i  of  type  C. 

There  is  a  crucial  difference  between  a  primitive  system  variable  x  and  a  first-order  function 
term  x(i),  where  i  is  quantified  over.  Hybrid  dynamics  of  primitive  system  variables  can  model, 
say,  5  cars  (putting  scalability  issues  aside),  but  not  n  cars  and  not  systems  with  a  varying  number 
of  cars.  With  first-order  function  symbols  x(i)  and  hybrid  dynamics  quantifying  over  all  cars  i,  a 
QHP  can  represent  any  number  of  cars  at  once  and  even  (dis)appearance  of  cars. 

Verification  of  distributed  hybrid  systems  is  challenging,  because  they  have  three  independent 
sources  of  undecidability:  discrete  dynamics,  continuous  dynamics,  and  structural/dimensional 
dynamics.  As  an  analysis  tool  for  distributed  hybrid  systems,  we  introduce  a  specification  and 
verification  logic  for  QHPs  that  we  call  quantified  differential  dynamic  logic  (QdC).  QdC  provides 
dynamic  logic  [10]  modal  operators  [a]  and  (a)  that  refer  to  the  states  reachable  by  QHP  a  and 
can  be  placed  in  front  of  any  formula.  Formula  [a\(p  expresses  that  all  states  reachable  by  system  a 
satisfy  formula  f,  while  (0)0  expresses  that  there  is  at  least  one  reachable  state  satisfying  0.  These 
modalities  can  express  necessary  or  possible  properties  of  the  transition  behavior  of  a.  With  its 
ability  to  verify  (dynamic)  distributed  hybrid  systems  and  quantified  dynamics,  QdC  is  a  major 
extension  of  prior  work  for  static  hybrid  systems  [17,  18]  or  programs  [2,  22]. 

Our  primary  contributions  are: 

•  We  introduce  a  system  model  and  semantics  that  succinctly  captures  the  logical  quintessence 
of  (dynamic)  distributed  hybrid  systems  with  joint  discrete,  continuous,  structural,  and  also 
dimension-changing  dynamics. 

•  We  introduce  a  specification/verification  logic  for  distributed  hybrid  systems. 

•  We  present  a  proof  calculus  for  this  logic,  which,  to  the  best  of  our  knowledge,  is  the  first 
verification  approach  that  can  handle  distributed  hybrid  systems  with  their  hybrid  dynamics 
and  unbounded  (and  evolving)  dimensions. 

•  We  prove  that  this  compositional  calculus  is  a  sound  and  complete  axiomatization  relative  to 
differential  equations. 

•  We  have  used  our  proof  calculus  to  verify  collision  freedom  in  a  distributed  car  control 
system,  where  new  cars  may  appear  dynamically  on  the  road. 

This  work  constitutes  the  logical  foundation  for  analysis  of  distributed  hybrid  systems.  Since 
distributed  hybrid  control  is  the  key  to  control  numerous  advanced  systems,  analytic  approaches 
have  significant  potential  for  applications. 

Our  verification  approach  for  distributed  hybrid  systems  is  a  fundamental  extension  compared 
to  previous  approaches.  In  much  the  same  way  as  first-order  logic  increases  the  expressive  power 
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over  propositional  logic  (quantifiers  and  function  symbols  are  required  to  express  properties  of 
unbounded  structures),  QcLC  increases  the  expressive  power  over  its  predecessors  (because  first- 
order  functions  and  quantifiers  in  the  dynamics  of  QHPs  are  required  to  characterize  systems  with 
unbounded  and  changing  dimensions). 


2  Related  Work 

Multi-party  distributed  control  has  been  suggested  for  car  control  [13]  and  air  traffic  control  [7]. 
Due  to  limits  in  verification  technology,  no  formal  analysis  of  the  distributed  hybrid  dynamics 
has  been  possible  for  these  systems  yet.  Analysis  results  include  discrete  message  handling  [13] 
or  collision  avoidance  for  two  participants  [7].  In  distributed  car  control  and  air  traffic  control 
systems,  appearance  of  new  participants  is  a  major  unsolved  challenge  for  formal  verification. 

The  importance  of  understanding  dynamic  /  reconfigurable  distributed  hybrid  systems  was  rec¬ 
ognized  in  modeling  languages  SHIFT  [6]  and  R-Charon  [15].  They  focused  on  simulation  / 
compilation  [6]  or  the  development  of  a  semantics  [15],  so  that  no  verification  is  possible  yet.  For 
stochastic  simulation  see  [16],  where  soundness  has  not  been  proven,  because  ensuring  coverage 
is  difficult. 

For  distributed  hybrid  systems,  even  giving  a  formal  semantics  is  very  challenging  [4,  21,  15, 
23] !  Zhou  et  al.  [4]  gave  a  semantics  for  a  hybrid  version  of  CSP  in  the  Extended  Duration  Calcu¬ 
lus.  Rounds  [21]  gave  a  semantics  in  a  rich  set  theory  for  a  spatial  logic  for  a  hybrid  version  of  the 
7r-calculus.  In  the  hybrid  7r-calculus,  processes  interact  with  a  continuously  changing  environment, 
but  cannot  themselves  evolve  continuously,  which  would  be  crucial  to  capture  the  physical  move¬ 
ment  of  traffic  agents.  From  the  semantics  alone,  no  verification  is  possible  in  these  approaches, 
except  perhaps  by  manual  semantic  reasoning. 

Other  process-algebraic  approaches,  like  x  [23],  have  been  developed  for  modeling  and  sim¬ 
ulation.  Verification  is  still  limited  to  small  fragments  that  can  be  translated  directly  to  other 
verification  tools  like  PHAVer  or  UPPAAL,  which  have  fixed  dimensions  and  restricted  dynamics 
(no  distributed  hybrid  systems). 

Our  approach  is  completely  different.  It  is  based  on  first-order  structures  and  dynamic  logic. 
We  focus  on  developing  a  logic  that  supports  distributed  hybrid  dynamics  and  is  amenable  to 
automated  theorem  proving  in  the  logic  itself. 

Our  previous  work  and  other  verification  approaches  for  static  hybrid  systems  cannot  verify  dis¬ 
tributed  hybrid  systems.  Distributed  hybrid  systems  may  have  an  unbounded  and  changing  number 
of  components/participants,  which  cannot  be  represented  with  any  fixed  number  of  dimensions  of 
the  state  space.  In  distributed  car  control,  for  instance,  there  is  no  prior  limit  on  the  number  of  cars 
on  the  street.  Even  when  there  is  a  limit,  explicit  replication  of  the  system,  say,  100  times,  does 
not  yield  a  scalable  verification  approach. 

Approaches  for  distributed  systems  [1]  do  not  cover  hybrid  systems,  because  the  addition  of 
differential  equations  to  distributed  systems  is  even  more  challenging  than  the  addition  of  differ¬ 
ential  equations  to  discrete  dynamics. 
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3  Syntax  of  Qd£ 

As  a  formal  logic  for  specifying  and  verifying  correctness  properties  of  distributed  hybrid  sys¬ 
tems,  we  introduce  quantified  differential  dynamic  logic  (QdC).  QdC  combines  dynamic  logic 
for  reasoning  about  system  runs  [10]  with  many-sorted  first-order  logic  for  reasoning  about  all 
( (Vi :  C  f>)  or  some  (3i :  C  f>)  objects  of  a  sort  C,  e.g.,  the  sort  of  all  cars.  The  most  important 
defining  characteristic  of  QdC  is  that  its  system  model  of  quantified  hybrid  programs  (QHP)  sup¬ 
ports  quantified  operations  that  affect  all  objects  of  a  sort  C  at  once.  If  C  is  the  sort  of  cars, 
QHP  Vi :  C  a{i)  :=  a(i)  +  1  increases  the  respective  accelerations  a(t)  of  all  cars  i  at  once.  QHP 
Vi :  C  v(i)'  =  o(i)  represents  a  continuous  evolution  of  the  respective  velocities  v(i)  of  all  cars  at 
once  according  to  their  acceleration.  Quantified  assignments  and  quantified  differential  equation 
systems  are  crucial  for  representing  distributed  hybrid  systems  where  an  unbounded  number  of  ob¬ 
jects  co-evolve  simultaneously.  Note  that  we  use  the  same  quantifier  notation  Vi :  C  for  quantified 
operations  in  programs  and  for  logical  formulas. 

We  model  the  appearance  of  new  participants  in  the  distributed  hybrid  system,  e.g.,  new  cars 
entering  the  road,  by  a  program  n  :=  new  C.  It  creates  a  new  object  of  type  C,  thereby  extend¬ 
ing  the  range  of  subsequent  quantified  assignments  or  differential  equations  ranging  over  created 
objects  of  type  C.  With  quantifiers  and  function  terms,  new  can  be  handled  in  a  modular  way 
(Section  5). 

3.1  Quantified  Differential  Dynamic  Logic 

Sorts  QdC  supports  a  (finite)  number  of  object  sorts,  e.g.,  the  sort  of  all  cars.  For  continuous 
quantities  of  distributed  hybrid  systems  like  positions  or  velocities,  we  add  the  sort  M  for  real 
numbers.  See  previous  work  [2]  for  subtyping  of  sorts. 

Terms  QdC  terms  are  built  from  a  set  of  (sorted)  function/variable  symbols  as  in  many-sorted 
first-order  logic.  Unlike  in  first-order  logic,  the  interpretation  of  function  symbols  can  change 
by  running  QHPs.  Even  objects  may  appear  or  disappear  while  running  QHPs.  We  use  function 
symbol  E(-)  to  distinguish  between  objects  i  that  actually  exist  and  those  that  have  not  been  created 
yet,  depending  on  the  value  of  E(i),  which  may  change  its  interpretation.  We  use  0, 1,  •  with 

the  usual  notation  and  fixed  semantics  for  real  arithmetic.  For  n  >  0  we  abbreviate  f(s i, . . . ,  sn) 
by  f(s)  using  vectorial  notation  and  we  use  s  —  t  for  element-wise  equality. 

Formulas  The  formulas  of  QdC  are  defined  as  in  first-order  dynamic  logic  plus  many-sorted 
first-order  logic  by  the  following  grammar  (f,  V  are  formulas,  6\ ,  Oo  are  terms  of  the  same  sort,  i 
is  a  variable  of  sort  C,  and  a  is  a  QHP): 

c ::=  0i  =  9-2  \  9i  >  9-2  \  ->(/)  \  (f>  A  \  \/i :  C  (f>  \  3i :  C  (f>  \  [a](j)  \  (a)(j) 

We  use  standard  abbreviations  to  define  <,  >,  <,  V,  — >.  Sorts  C  f  E  have  no  ordering  and  only 
9 1  =  92  is  allowed.  For  sort  M,  we  abbreviate  Vr :  M  ©  by  Va:  <p.  In  the  following,  all  formulas 
and  terms  have  to  be  well-typed.  QdC  formula  [a]f  expresses  that  all  states  reachable  by  QHP  a 
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satisfy  formula  0.  Likewise,  (a)0  expresses  that  there  is  at  least  one  state  reachable  by  a  for 
which  0  holds. 

For  short  notation,  we  allow  conditional  terms  of  the  form  if  0  then  6\  else  0-2  fi  (where  9\  and 
02  have  the  same  sort).  This  term  evaluates  to  0\  if  the  formula  0  is  true  and  to  02  otherwise. 
We  consider  formulas  with  conditional  terms  as  abbreviations,  e.g.,  0(if0  then  6i  else  02  fi)  for 

(0  — )•  0(^l))  A  (“10  — >■  Ip  (9  2))- 

Example  A  major  challenge  in  distributed  car  control  systems  [13]  is  that  they  do  not  follow 
fixed,  static  setups.  Instead,  new  situations  can  arise  dynamically  that  change  structure  and  dimen¬ 
sion  of  the  system  whenever  new  cars  appear  on  the  road  from  on-ramps  or  leave  it;  see  Fig.  1. 
As  a  running  example,  we  model  a  distributed  car  control  system  DCCS.  First,  we  consider  QdC 
properties. 

If  i  is  a  term  of  type  C  (for  cars),  let  x(t)  denote  the  position  of  car  i,  v(i)  its  current  velocity, 
and  a(i)  its  current  acceleration.  A  state  is  collision-free  if  all  cars  are  at  different  positions,  i.e., 
difij :  C  x(i)fix{j).  The  following  QdC  formula  expresses  that  the  system  DCCS  controls  cars 
collision-free: 

(Vi,  j:C  M(i,  j))  -A-  [DCCS\Vi^j  :C  x(i)^x(j)  (1) 

It  says  that  DCCS  controlled  cars  are  always  in  a  collision-free  state  (postcondition),  provided 
that  DCCS  starts  in  a  state  satisfying  M(i,j )  for  all  cars  i,j  (precondition).  Formula  M(i,j ) 
characterizes  a  simple  compatibility  condition:  for  different  cars  i  fi1  j,  the  car  that  is  further  down 
the  road  (i.e.,  with  greater  position)  neither  moves  slower  nor  accelerates  slower  than  the  other  car, 
i.e.: 


M(i,j)  =  i  7^  j  ((x(i)  <  x(j )  A  v(i)  <  v(j)  A  a(i)  <  a(j )) 

V  (x(i)  >  x(j)  A  v(i)  >  v(j)  A  a(i)  >  a(J)))  (2) 

3.2  Quantified  Hybrid  Programs 

As  a  system  model  for  distributed  hybrid  systems,  we  introduce  quantified  hybrid  programs  (QHP). 
These  are  regular  programs  from  dynamic  logic  [10]  to  which  we  add  quantified  assignments  and 
quantified  differential  equation  systems  for  distributed  hybrid  dynamics.  From  these,  QHPs  are 
built  like  a  Kleene  algebra  with  tests  [14].  QHPs  are  defined  by  the  following  grammar  (a,  /3  are 
QHPs,  6  a  term,  i  a  variable  of  sort  C,  f  is  a  function  symbol,  s  is  a  vector  of  terms  with  sorts 
compatible  to  /,  and  y  is  a  formula  of  first-order  logic): 

a,  fi  ::=  Vi :  C  f(s)  0  \  Vi :  C  f(s)'  —  9 &x  |  ?x  |  a  U  fi  \  a\fi  \  a* 

Quantified  State  Change  The  effect  of  quantified  assignment  Vi :  C  f(s)  :=  9  is  an  instanta¬ 
neous  discrete  jump  assigning  9  to  f(s)  simultaneously  for  all  objects  i  of  sort  C.  The  effect  of 
quantified  differential  equation  Vi :  C  f(s)'  =  9  hy  is  a  continuous  evolution  where,  for  all  objects 
i  of  sort  C,  all  differential  equations  f(s)'  =  9  hold  and  formula  x  holds  throughout  the  evolution 
(the  state  remains  in  the  region  described  by  y).  The  dynamics  of  QHPs  changes  the  interpretation 
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of  terms  over  time:  f(s)'  is  intended  to  denote  the  derivative  of  the  interpretation  of  the  term  /(  .?) 
over  time  during  continuous  evolution,  not  the  derivative  of  /(.?)  by  its  argument  s.  For  f(s)'  to  be 
defined,  we  assume  /  is  an  M-valued  function  symbol.  For  simplicity,  we  assume  that  /  does  not 
occur  in  s.  In  most  quantified  assignments/differential  equations  s  is  just  i.  Time  itself  is  implicit. 
If  a  clock  variable  t  is  needed  in  a  QHP,  it  can  be  axiomatized  by  t'  —  1,  which  is  equivalent  to 
Vi :  C  t'  —  1  where  i  does  not  occur  in  t.  For  such  vacuous  quantification  (i  does  not  occur  any¬ 
where),  we  may  omit  Vi :  C  from  assignments  and  differential  equations.  Similarly,  we  may  omit 
vectors  s  of  length  0. 

Regular  Programs  The  effect  of  test  ?x  is  a  skip  (i.e.,  no  change)  if  formula  x  is  true  in  the  cur¬ 
rent  state  and  abort  (blocking  the  system  run  by  a  failed  assertion),  otherwise.  Nondeterministic 
choice  a  U  /3  is  for  alternatives  in  the  behavior  of  the  distributed  hybrid  system.  In  the  sequen¬ 
tial  composition  a;  ft,  QHP  3  starts  after  a  finishes  (3  never  starts  if  a  continues  indefinitely). 
Nondeterministic  repetition  a*  repeats  a  an  arbitrary  number  of  times,  possibly  zero  times. 

QHPs  (with  their  semantics  and  our  proof  rules)  can  be  extended  to  systems  of  quantified  differ¬ 
ential  equations,  simultaneous  assignments  to  multiple  functions  /,  g,  or  statements  with  multiple 
quantifiers  (Wi :  C  Vj  :  D  . . . ).  To  simplify  notation,  we  do  not  focus  on  these  cases,  which  are 
vectorial  extensions  [17,  2]. 

Example  Continuous  movement  of  position  x(i)  of  car  i  with  acceleration  a(i)  is  expressed  by 
differential  equation  x(i )"  =  a(i),  which  corresponds  to  the  first-order  differential  equation  system 
x(i)'  =  v(i),v(i)'  =  a(i)  with  velocity  v(i).  Simultaneous  movement  of  all  cars  with  their  respec¬ 
tive  accelerations  a(i)  is  expressed  by  the  QHP  Vi :  C  (x{i)"  =  ail)  )  where  quantifier  Vi :  C  ranges 
over  all  cars,  such  that  all  cars  co-evolve  at  the  same  time. 

In  addition  to  continuous  dynamics,  cars  have  discrete  control.  In  the  following  QHP,  discrete 
and  continuous  dynamics  interact  (repeatedly  by  the  *): 

(Vi:  (7  (o(i)  :=  if  Vj  :  C/ar(i,j)  then  a  else  —  5fi);  Vi:C  {x{i)"  =  a(i)))*  (3) 

First,  all  cars  i  control  their  acceleration  a(i).  Each  car  i  chooses  maximum  acceleration  a  >  0 
for  a(i)  if  its  distance  to  all  other  cars  j  is  far  enough  (some  condition  far(i,j)).  Otherwise,  i 
chooses  full  braking  —b  <  0.  After  all  accelerations  have  been  set,  all  cars  move  continuously 
along  Vi :  C  (. x(i )"  =  a(i)).  Accelerations  may  change  repeatedly,  because  the  repetition  operator 
*  can  repeat  the  QHP  when  the  continuous  evolution  stops  at  any  time. 


4  Semantics  of  Qd£ 

The  Qd£  semantics  is  a  constant  domain  Kripke  semantics  [9]  with  first-order  structures  as  states 
that  associate  total  functions  of  appropriate  type  with  function  symbols.  In  constant  domain,  all 
states  share  the  same  domain  for  quantifiers.  In  particular,  we  choose  to  represent  object  creation 
not  by  changing  the  domain  of  states,  but  by  changing  the  interpretation  of  the  createdness  flag 
E(i)  of  the  object  denoted  by  i.  With  E(i),  object  creation  is  definable  (Section  5). 
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States  A  state  a  associates  an  infinite  set  a(C )  of  objects  with  each  sort  C,  and  it  associates 
a  function  cr(/)  of  appropriate  type  with  each  function  symbol  /,  including  E(-).  For  simplicity, 
a  also  associates  a  value  a(i)  of  appropriate  type  with  each  variable  i.  The  domain  of  E  and 
the  interpretation  of  0, 1,  +,  — ,  •  is  that  of  real  arithmetic.  We  assume  constant  domain  for  each 
sort  C :  all  states  a,  r  share  the  same  infinite  domains  a{C )  =  r(C).  Sorts  C  ^  D  are  disjoint: 
cr(C')  (T  a(D )  =  0.  The  set  of  all  states  is  denoted  by  S.  The  state  of  agrees  with  a  except  for  the 
interpretation  of  variable  i,  which  is  changed  to  e. 

Formulas  We  use  cr\6\  to  denote  the  value  of  term  9  at  state  a.  Especially,  of  [0]  denotes  the 
value  of  9  in  state  of,  i.e.,  in  state  a  with  i  interpreted  as  e.  Further,  p(a')  denotes  the  state  transition 
relation  of  QHP  a  as  defined  below.  The  interpretation  o  |=  0  of  Qd£  formula  0  with  respect  to 
state  a  is  defined  as: 

1.  a  \=  (9 1  =  92)  iff  o-[6f]  =  cr|02];  accordingly  for  >. 

2.  a  f=  0  A  0  iff  o  (=  0  and  a  \—  0;  accordingly  for 

3.  a  |=  Vi :  C  0  iff  erf  |=  0  for  all  objects  e  G  cr(C). 

4.  o  |=  3i :  C  0  iff  erf  |=  0  for  some  object  e  G  cr(C). 

5.  a  \=  [a]0  iff  r  \=  0  for  all  states  r  with  (a,  r)  G  p(a). 

6.  o  |=  (a)0  iff  r  |=  0  for  some  r  with  (a,  r)  G  p(a). 

Programs  The  transition  relation,  p(a)  C  5  x  5,  of  QHP  a  specifies  which  state  r  G  S  is 
reachable  from  d  G  5by  running  QHP  cc.  It  is  defined  inductively: 

1.  (cr,  r)  G  p(Vi :  C  f(s )  :=  0)  iff  state  r  is  identical  to  a  except  that  at  each  position  o  of  /:  if 
ofp]  =  o  for  some  object  e  G  ct(C),  then  r(/)(af  [s])  =  of[0].  If  there  are  multiple  objects 
e  giving  the  same  position  cr|[s|  =  o,  then  all  of  the  resulting  states  r  are  reachable. 

2.  (cr,  r)  G  p(Vi :  C  f(s)'  =  9  &  y)  iff,  there  is  a  function  <p:[0,  r]  — >  S  for  some  r  >  0  with 
<p(0)  =  a  and  <p(r)  =  r  satisfying  the  following  conditions.  At  each  time  t  G  [0,  r],  state 
ip(t)  is  identical  to  a,  except  that  at  each  position  6  of  /:  if  of  [s |  =  6  for  some  object 
e  G  cr(C),  then,  at  each  time  (  G  [0,  r\. 

•  The  differential  equations  hold  and  derivatives  exist  (trivial  for  r  —  0): 

d(v>Wf[/(i)])(c)  =  (v(C)«M) 

•  The  evolution  domain  is  respected:  )®  |=  x- 

If  there  are  multiple  objects  e  giving  the  same  position  cr|[s|  =  o,  then  all  of  the  resulting 
states  r  are  reachable. 


7 


3-  P(?x)  =  {(^  cr)  :  cr  1=  X} 

4.  p(a  U  j3)  —  p(a)  U  p((3) 

5.  p(a ;  /3)  =  { (cr,  r)  :  (a,  z)  G  p(a)  and  (z,  r)  G  p(/5)  for  a  state 

6.  (a,  r)  G  p(a*)  iff  there  is  an  n  G  N  with  n  >  0  and  there  are  states  a  =  a0, . . . ,  an  =  r  such 
that  (<7j,  o-j+i)  G  p(a)  for  all  0  <  i  <  n. 

The  semantics  is  explicit  change :  nothing  changes  unless  an  assignment  or  differential  equation 
specifies  how.  In  cases  1-2,  only  /  changes  and  only  at  positions  of  the  form  af[s]  for  some 
interpretation  e  G  cr(C')  of  i.  If  there  are  multiple  such  e  that  affect  the  same  position  o,  any  of  those 
changes  can  take  effect  by  a  nondeterministic  choice.  QHP  Vi :  C  x  a{i)  may  change  x  to  any 
a{i).  Hence,  [Vi :  C  x  :=  a(i)]0(x)  =  Vi :  C  <f>{a{i))  and  (\/i:C  x  :=  a{i))(f)(x )  =  3i :  C  0(a(i)). 
Similarly,  a;  can  evolve  along  Vi :  C  x'  —  a(i )  with  any  of  the  slopes  a(i).  But  evolutions  cannot 
start  with  slope  a(c)  and  then  switch  to  a  different  slope  a(d)  later.  Any  choice  for  i  is  possible  but 
i  remains  unchanged  during  each  evolution. 

We  call  a  quantified  assignment  Vi :  C  f(s)  :=  9  or  a  quantified  differential  equation  of  the 
form  Vi :  C  /(•?)'  =  0  &  y  injective  iff  there  is  at  most  one  e  satisfying  cases  1-2.  We  call  quanti¬ 
fied  assignments  and  quantified  differential  equations  schematic  iff  s  is  i  (thus  injective)  and  the 
only  arguments  to  function  symbols  in  6  are  i.  Schematic  quantified  differential  equations  like 
Vi :  C  f{i)'  =  a(i)  &  y  are  very  common,  because  distributed  hybrid  systems  often  have  a  family 
of  similar  differential  equations  replicated  for  multiple  participants  i.  Their  synchronization  typ¬ 
ically  comes  from  discrete  communication  on  top  of  their  continuous  dynamics,  less  often  from 
complicated,  physically  coupled  differential  equations. 


5  Actual  Existence  and  Object  Creation 

Actual  Existence  For  the  QdC  semantics,  we  chose  constant  domain  semantics,  i.e.,  all  states 
share  the  same  domains.  Thus  quantifiers  range  over  all  possible  objects  (possibilist  quantification) 
not  just  over  active  existing  objects  ( actualist  quantification  in  varying  domains)  [9].  In  order  to 
distinguish  between  actual  objects  that  exist  in  a  state,  because  they  have  already  been  created 
and  can  now  actively  take  part  in  its  evolution,  versus  possible  objects  that  still  passively  await 
creation,  we  use  function  symbol  E(-).  Symbol  E(-)  is  similar  to  existence  predicates  in  first-order 
modal  logic  [9],  but  its  value  can  be  assigned  to  in  QHPs. 

Object  Creation  For  term  i  of  type  C  M,  E  (z )  =  1  represents  that  the  object  denoted  by  i  has 
been  created  and  actually  exists.  We  use  E(i)  =  0  to  represent  that  i  has  not  been  created.  Object 
creation  amounts  to  changing  the  interpretation  of  E(i).  For  an  object  denoted  by  i  that  has  not  been 
created  (E(i)  =  0),  object  creation  corresponds  to  the  state  change  caused  by  assignment  E(i)  :=  1. 
With  quantified  assignments  and  function  symbols,  object  creation  is  definable: 

n:=newC  =  (Vj  :C  n:—j);  ?(E(n)  =  0);  E(n)  :=  1 
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It  assigns  an  arbitrary  j  of  type  C  to  n  that  did  not  exist  before  (E (n)  =  0)  and  adjusts  existence 
(E(n)  :=  1).  Disappearance  of  object  i  corresponds  to  E(i)  :=0.  Our  choice  avoids  semantic 
subtleties  of  varying  domains  about  the  meaning  of  free  variables  denoting  non-existent  objects 
as  in  free  logics  [9].  Denotation  is  standard.  Terms  may  just  denote  objects  that  have  not  been 
activated  yet.  This  is  useful  to  initialize  new  objects  (e.g.,  x(n)  :=  8)  before  activation  (E (n)  :=  1). 

Actualist  Quantifiers  We  define  abbreviations  for  actualist  quantifiers  in  formulas  /  quantified 
assignments  /  quantified  differential  equations  that  range  only  over  previously  created  objects , 
similar  to  relativization  in  modal  logic  [9] : 

\/i:C\  </>  =  \/i:C  (E(i)  =  l  ->  0) 

3i:C'!0  =  3i:C'(E(i)  =  lA0) 

\/i :  Cl  f(s )  : =9  =  \/i:C  f(s )  :=  (if  E(z)  =  1  then  0  else  f(s)  fi) 

Vi : Cl  f(s)'  —  6  =  \/i\C  f(s)'  —  (if E(i)  =  1  then 9 else Ofi)  =  Vi :  C  f(s)'  =  E(i)0 

The  last  2  cases  define  quantified  state  change  for  actually  existing  objects  using  conditional  terms 
that  choose  effect  9  if  E(i)  =  1  and  choose  no  effect  (retaining  the  old  value  /(•?)  or  evolving  with 
slope  0)  if  E(i)  =  0.  Notation  Cl  signifies  that  the  quantifier  domain  is  restricted  to  actually  existing 
objects  of  type  C. 

We  generally  assume  that  QHPs  involve  only  quantified  assignments  /  differential  equations 
that  are  restricted  to  created  objects,  because  real  systems  only  affect  objects  that  are  physically 
present,  not  those  that  will  be  created  later.  We  still  treat  actualist  quantification  over  Cl  as  a 
defined  notion,  in  order  to  simplify  the  semantics  and  proof  calculus  by  separating  object  creation 
from  quantified  state  change  rules  in  a  modular  way.  If  only  finitely  many  objects  have  been 
created  in  the  initial  state  (say  0),  then  it  is  easy  to  see  that  only  finitely  many  new  objects  will  be 
created  with  finitely  many  such  QHP  transitions,  because  each  quantified  state  change  for  Cl  only 
ranges  over  a  finite  domain  then.  We  thus  assume  E(-)  to  have  (unbounded  but)  finite  support ,  i.e., 
each  state  only  has  a  finite  number  of  positions  i  at  which  E(i)  =  1.  This  makes  sense  in  practice, 
because  there  is  a  varying  but  still  finite  numbers  of  participants  (e.g.,  cars). 

Example  In  order  to  restrict  the  dynamics  and  properties  in  the  car  control  examples  of  Section  3 
to  created  and  physically  present  cars,  we  simply  replace  each  occurrence  of  Vi :  C  with  Vi :  Cl  .  A 
challenging  feature  of  distributed  car  control,  however,  is  that  new  cars  may  appear  dynamically 
from  on-ramps  (Fig.  1)  changing  the  set  of  active  objects.  To  model  this,  we  consider  the  following 
QHP: 

DCCS  =  (n  new  (7;  (?Vi :  Cl  M(i,n));  Vi:  Cl  (x(i)"  =  a(i)))*  (4) 

It  creates  a  new  car  n  at  an  arbitrary  position  x(n)  satisfying  compatibility  condition  Mil,  n )  with 
respect  to  all  other  created  cars  i.  Hence  DCCS  allows  new  cars  to  appear,  but  not  drop  right  out 
of  the  sky  in  front  of  a  fast  car  or  run  at  Mach  8  only  10ft  away.  When  cars  appear  into  the  horizon 
from  on-ramps,  this  condition  captures  that  a  car  is  only  allowed  to  join  the  lane  (“appear”  into  the 
model  world)  if  it  cannot  cause  a  crash  with  other  existing  cars  (Fig.  1).  Unboundedly  many  cars 
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may  appear  during  the  operation  of  DCCS  and  change  the  system  dimension  arbitrarily,  because 
of  the  repetition  operator  *. 

DCCS  is  simple  but  shows  how  properties  of  distributed  hybrid  systems  can  be  expressed  in 
QcLC.  Structural  dynamics  corresponds  to  assignments  to  function  terms.  Say,  f[i)  is  the  car 
registered  by  communication  as  the  car  following  car  i.  Then  a  term  d(i.  fit)),  which  denotes  the 
minimum  safety  distance  negotiated  between  car  i  and  its  follower,  is  a  crucial  part  of  the  system 
dynamics.  Restructuring  the  system  in  response  to  lane  change  corresponds  to  assigning  a  new 
value  to  f(i),  which  impacts  the  value  of  d(i,  f(i))  in  the  system  dynamics. 


6  Proof  Calculus 

In  Fig.  2,  we  present  a  proof  calculus  for  QdC  formulas.  We  use  the  sequent  notation  informally 
for  a  systematic  proof  structure.  With  finite  sets  of  formulas  for  the  antecedent  Y  and  succedent  A, 
sequent  Y  — » A  is  an  abbreviation  for  the  formula  /\oer  0  V</.eA  'lP-  The  calculus  uses  standard 
proof  rules  for  propositional  logic  with  cut  rule  (not  shown).  The  proof  rules  are  used  backwards 
from  the  conclusion  (goal  below  horizontal  bar)  to  the  premisses  (subgoals  above  bar). 

In  the  calculus,  we  use  substitutions  that  take  effect  within  formulas  and  programs  (defined  as 
usual).  Only  admissible  substitutions  are  applicable,  which  is  crucial  for  soundness.  An  appli¬ 
cation  of  a  substitution  a  is  admissible  if  no  replaced  term  6  occurs  in  the  scope  of  a  quantifier 
or  modality  binding  a  symbol  in  6  or  in  its  replacement  ad.  A  modality  binds  a  symbol  /  iff  it 
contains  an  assignment  to  /  (like  Vi :  C  f(s)  :=  6)  or  a  differential  equation  containing  a  /(.?)' 
(like  Vi :  C  f(s )'  =  9).  The  substitutions  in  Fig.  2  that  insert  a  term  9  into  (f)(6)  also  have  to  be 
admissible  for  the  proof  rules  to  be  applicable. 

Regular  Rules  The  next  proof  rules  axiomatize  sequential  composition  ([;],(;)),  nondeterministic 
choice  ([U],(U)),  and  test  ([?],(?))  of  regular  programs  as  in  dynamic  logic  [10].  Like  other  rules 
in  Fig.  2,  these  rules  do  not  contain  sequent  symbol  — >•,  i.e.,  they  can  be  applied  to  any  subformula. 
These  rules  represent  (directed)  equivalences:  conclusion  and  premiss  are  equivalent. 

Quantified  Differential  Equations  Rules  ['],(')  handle  continuous  evolutions  for  quantified  dif¬ 
ferential  equations  with  first-order  definable  solutions.  Given  a  solution  for  the  quantified  differ¬ 
ential  equation  system  with  symbolic  initial  values  f(s),  continuous  evolution  along  differential 
equations  can  be  replaced  with  a  quantified  assignment  Vi  :C  S(t)  corresponding  to  the  solution 
(footnote  1  in  Fig.  2),  and  an  additional  quantifier  for  evolution  time  t.  In  ['],  postcondition  0  needs 
to  hold  for  all  evolution  durations  t.  In  ('),  it  needs  to  hold  after  some  duration  t.  The  constraint 
on  x  restricts  the  continuous  evolution  to  remain  in  the  evolution  domain  region  x  at  all  interme¬ 
diate  times  t  <  t. 

For  schematic  cases  like  Vi :  C  f(i)'  =  a(i),  first-order  definable  solutions  can  be  obtained  by 
adding  argument  i  to  first-order  definable  solutions  of  the  deparametrized  version  f  =  a.  We  only 
present  proof  rules  for  first-order  definable  solutions  of  quantified  differential  equations  here.  See 
[18]  for  other  proof  rules. 
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true 

3 n  :  C  E (n)  =  0 
T-Hf>(0),3x(f>(x),  A4 
T— >3x  0(x),  A 

r,0(^),v^0(7^A4 

r,  \/xcf)(x)— 


([:*]) 


vj-.cm 


[Vj  :C  n  \=  6}(j)(n ) 


a-*)) 


Jr- cm 


(Vj  :C  n:=  0)(f>(n ) 


(Vr) 


(31) 


r-+0(/(Ay.,xn)),A5 
T— y\/x(f)(x),  A 
T,  0(/(AV, . . ,  An))— »-A  5 
T,  3x(p(x)— >A 


([]  gen) 
(con) 


QE(VA,  Y  (if  s  =  fthen$(A)->^(A)  else  <f>(X)->^(E)  fi)) 

QE(3A  A-Al^lA?)  7 
<J>!— ... 


(()gen) 


T,  [a]0— )-[a]-0,  A  r,  (a)(j)— >(a)ip,  A 

v  >  0  A  </?(v)  — *  (a)(p(v  —  1) 


(ind) 


(f) - Ct  (f) 


T,  (f)— y[a*](f),  A 


r,  3y  <p(v)— j-(a*)3u<0  ip(v),  A 


1 t,  t  are  new  variables,  \/i:C  S(t)  is  the  quantified  assignment  \/i:C  f(s)  :=yg(t)  with  solutions  yg(t)  of  the 
(injective)  differential  equations  and  f(s )  as  initial  values. 

Occurrence  f(u)  in  </>(/(it))  is  not  in  scope  of  a  modality  (admissible  substitution)  and  we  abbreviate  assignment 
Vi :  C  f(s)  :=  9  by  A,  which  is  assumed  to  be  injective. 

if  y  and  the  quantified  assignment  Vi  :  C  f(s)  :=  9  is  injective.  The  same  rule  applies  for  (Vi :  C  f(s)  :=  9) 
instead  of  [Vi :  C  f(s)  :=  9\. 

4 9  is  an  arbitrary  term,  often  a  new  logical  variable. 

5 /  is  a  new  (Skolem)  function  and  Xi, . . ,  Xn  are  all  free  logical  variables  of  Mx  <f>(x). 

6  A,  Y  are  new  variables  of  sort  R.  QE  needs  to  be  applicable  in  the  premiss. 

7Among  all  open  branches,  the  free  (existential)  logical  variable  X  of  sort  R  only  occurs  in  the  branches  . 

QE  needs  to  be  defined  for  the  formula  in  the  premiss,  especially,  no  Skolem  dependencies  on  A'  occur, 
logical  variable  v  does  not  occur  in  a.  |  ] 


Figure  2:  Rule  schemata  of  the  proof  calculus  for  quantified  differential  dynamic  logic. 


Quantified  Assignments  Rules  [:=],(:=)  handle  quantified  assignments  (both  are  equivalent  for 
the  injective  case,  i.e.,  a  match  for  at  most  one  i).  Their  effect  depends  on  whether  the  quantified 
assignment  Vi :  C  f(s)  :=  9  matches  f(u),  i.e.,  there  is  a  choice  for  i  such  that  f(u )  is  affected  by 
the  assignment,  because  u  is  of  the  form  s  for  some  i.  If  it  matches,  the  premiss  uses  the  term  6 
assigned  to  f(s)  instead  of  f(u),  either  for  all  possible  i :  C  that  match  f(u)  in  case  of  [:=],  or 
for  some  of  those  i:C  in  case  of  (:=).  Otherwise,  the  occurrence  of  /  in  fi(f(u))  will  be  left 
unchanged.  Rules  [:=],(:=)  make  a  case  distinction  on  matching  by  if-then-else.  In  all  cases, 
the  original  quantified  assignment  Vi :  C  f(s)  :=  9,  which  we  abbreviate  by  A,  will  be  applied 
to  u  in  the  premiss,  because  the  value  of  argument  u  may  also  be  affected  by  A,  recursively. 
Rule  skip  characterizes  that  quantified  assignments  to  /  have  no  effect  on  all  other  operators 
T  ^  f  (including  other  function  symbols,  A,  if  then  else  fi),  so  that  only  argument  u  is  affected 
by  prefixing  A  but  T  remains  unchanged. 

Rules  [:=],(:=), skip  also  apply  for  assignments  without  quantifiers,  which  correspond  to  vacu¬ 
ous  quantification  Vi :  C  where  i  does  not  occur  anywhere.  Rules  [:*],(:*)  reduce  nondeterministic 
assignments  to  universal  or  existential  quantification.  For  nondeterministic  differential  equations, 
see  [18]. 

Object  Creation  Given  our  definition  of  new  C  as  a  QHP  from  Section  5,  object  creation  can  be 
proven  by  the  other  proof  rules  in  Fig.  2.  In  addition,  axiom  ex  expresses  that,  for  sort  there 

always  is  a  new  object  n  that  has  not  been  created  yet  (E (n)  =  0),  because  domains  are  infinite. 

Quantifiers  For  quantifiers,  we  cannot  just  use  standard  rules  [8],  because  these  are  for  uninter¬ 
preted  first-order  logic  and  work  by  instantiating  quantifiers,  eagerly  as  in  ground  tableaux  or  lazily 
by  unification  as  in  free  variable  tableaux  [8].  QdC  is  based  on  first-order  logic  interpreted  over 
the  reals  [5].  A  formula  like  3a  :  M  \/x  :  M  (x2  +  a  >  0)  cannot  be  proven  by  instantiating  quanti¬ 
fiers  but  is  still  valid  for  reals.  Unfortunately,  the  decision  procedure  for  real  arithmetic,  quantifier 
elimination  (QE)  in  the  theory  of  real-closed  fields  [5],  cannot  be  applied  to  formulas  with  modal¬ 
ities  either,  because  these  are  quantified  reachability  statements.  Even  in  discrete  dynamic  logic, 
quantifiers  plus  modalities  make  validity  1 1  ] -complete  [10].  Also  QE  cannot  handle  sorts  C  fi  M. 

Instead,  our  QdC  proof  rules  combine  quantifier  handling  of  many-sorted  logic  based  on  instan¬ 
tiation  with  theory  reasoning  by  QE  for  the  theory  of  reals.  Figure  2  shows  rules  for  quantifiers 
that  combine  with  decision  procedures  for  real-closed  fields.  Classical  instantiation  is  sound  for 
sort  M,  just  incomplete. 

Rules  3r  and  VI  instantiate  with  arbitrary  terms  9,  including  a  new  free  variable  X,  where  3r  and 
VI  become  the  usual  7-rules  [8,  9].  Rules  Vr  and  31  correspond  to  the  5-rule  [8].  As  in  our  previous 
work  [17],  rules  iV  and  i3  reintroduce  and  eliminate  quantifiers  over  M  once  QE  is  applicable, 
as  the  remaining  constraints  are  first-order  in  the  respective  variables.  Unlike  in  previous  work, 
however,  functions  and  different  argument  vectors  can  occur  in  Qd£.  If  the  argument  vectors 
s  and  t  in  iV  have  the  same  value,  the  same  variable  A"  can  be  reintroduced  for  f(s)  and  f(t), 
otherwise  different  variables  A"  Y  have  to  be  used.  Rule  i3  merges  all  proof  branches  containing 
(existential)  variable  X,  because  A"  has  to  satisfy  all  branches  simultaneously.  It  thus  has  multiple 
conclusions.  See  [17]  for  merging  and  for  lifting  QE  to  the  presence  of  function  symbols,  including 


12 


formulas  that  result  from  the  base  theory  by  substitution. 


Global  Rules  The  rules  in  the  last  block  depend  on  the  truth  of  their  premisses  in  all  states 
reachable  by  a,  thus  the  context  T,  A  cannot  be  used  in  the  premiss.  Rules  \\gen,()gen  are  Godel 
generalization  rules  and  ind  is  an  induction  schema  for  loops  with  inductive  invariant  0  [10].  Sim¬ 
ilarly,  con  generalizes  Harel’s  convergence  rule  [10]  to  the  hybrid  case  with  decreasing  variant  p 
[17]. 

7  Soundness  and  Completeness 

The  verification  problem  for  distributed  hybrid  systems  has  three  independent  sources  of  unde¬ 
cidability.  Thus,  no  verification  technique  can  be  effective.  Hence,  QdC  cannot  be  effectively 
axiomatizable.  Both  its  discrete  and  its  continuous  fragments  alone  are  subject  to  Godel’s  incom¬ 
pleteness  theorem  [17].  The  fragment  with  only  structural  and  dimension-changing  dynamics  is 
not  effective  either,  because  it  can  encode  two-counter  machines.  The  standard  way  to  show  ad¬ 
equacy  of  proof  calculi  for  problems  that  are  not  effective  is  to  prove  completeness  relative  to  an 
oracle  for  handling  a  fragment  of  the  logic.  Unlike  in  Cook/Harel  relative  completeness  for  dis¬ 
crete  programs  [10],  however,  QdC  cannot  be  complete  relative  to  the  fragment  of  the  data  logic 
(M),  because  real  arithmetic  is  decidable.  Instead,  we  prove  that  our  QdC  calculus  is  a  complete 
axiomatization  relative  to  an  oracle  for  the  fragment  of  QdC  that  has  only  quantified  differential 
equations  in  modalities.  We  replace  rules  ['],(')  with  an  oracle  and  show  that  the  QdC  calculus 
would  be  complete  if  only  we  had  complete  replacements  for  ['],(').  The  calculus  completely  lifts 
any  approximation  of  this  oracle  to  the  full  QdC ! 

Theorem  1  (Axiomatization)  The  calculus  in  Fig.  2  is  a  sound  and  complete  axiomatization  of 
QdC  relative  to  quantified  differential  equations;  see  [20]. 

This  shows  that  properties  of  distributed  hybrid  systems  can  be  proven  to  exactly  the  same  extent 
to  which  properties  of  quantified  differential  equations  can  be  proven.  Proof-theoretically,  the  QdC 
calculus  completely  lifts  verification  techniques  for  quantified  continuous  dynamics  to  distributed 
hybrid  dynamics. 


8  Distributed  Car  Control  Verification 

With  the  QdC  calculus  and  the  compatibility  condition  from  eqn.  (2),  we  can  easily  prove 

collision  freedom  in  the  distributed  car  control  system  (4): 

[(n  :=  newG;  ?Vi :  Cl  M(i,  n);  Vi :  Cl  ( x(i )"  =  a(i)))*]  ViyQ  :  Cl  x(i)fx(j)  (5) 

See  [20]  for  a  formal  QdC  proof  of  this  QdC  formula,  which  proves  collision  freedom  despite 
dynamic  appearance  of  new  cars,  following  the  pattern  of  (1). 
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In  a  similar  way,  we  can  prove  collision  freedom  in  an  advanced  distributed  car  control  system 
that  has  both  dynamic  appearance  of  cars  on  the  road  and  more  flexibility  in  acceleration  and 
braking  choices  of  the  individual  cars: 

\/i,j  :  C\  —> 

[(n  new  (7;  ?Vi  :  <7!  M(i,  n); 

Vi :  C\  a(i )  :=  if  Vj  :  Cfar(i,j)  then  a  else  — 6fi; 
r  :=  0;  Vi :  C\  ( x(i )'  =  v(i),v(i)'  =  a(i),  r  =  1  &  v(i)  >  0  A  r  <  e))* 
]V#j:C\x(i)^x(j)  (6) 

The  QHP  in  this  Qd£  formula  allows  all  cars  to  change  their  respective  acceleration  freely  when 
all  other  cars  are  sufficiently  far  away;  see  (3).  We  choose  a  condition  characterizing  that  the  dis¬ 
tributed  car  control  system  stays  controllable  at  least  e  time  units  (which  is  the  maximum  reaction 
time  of  the  controller): 

far(i,j)  =  x(j)  >  x{i)  — >■  x(j)  >  x(i)  +  +  l)  e 2  +  eu(i)) 

Similarly,  we  choose  a  refined  version  of  compatibility  condition  A4(i,j)  that  allows  varying  ve¬ 
locities  v(i)  for  the  cars  whenever  appropriate  safety  distances  are  respected  such  that  the  cars  can 
still  brake  safely  at  a  later  point: 

i  7^  j  — >  (( x{i )  <  x(j)  A  v(i)2  <  v{j )2  +  2 b(x(j)  —  x(i))  A  v(i)  >  0  A  v(j)  >  0) 

V  (x(i)  >  x(j)  A  v(j)2  <  v(i )2  +  2 b(x(i)  —  x(j))  A  v(i)  >  0  A  v(j)  >  0)) 

See  [20]  for  a  formal  Qd£  proof  of  Qd£  formula  (6). 


9  Conclusions 

We  have  introduced  a  system  model  and  semantics  for  dynamic  distributed  hybrid  systems  together 
with  a  compositional  verification  logic  and  proof  calculus.  We  believe  this  is  the  first  formal 
verification  approach  for  distributed  hybrid  dynamics ,  where  structure  and  dimension  of  the  system 
can  evolve  jointly  with  the  discrete  and  continuous  dynamics.  We  have  proven  our  calculus  to  be 
a  sound  and  complete  axiomatization  relative  to  quantified  differential  equations.  Our  calculus 
proves  collision  avoidance  in  distributed  car  control  with  dynamic  appearance  of  new  cars  on  the 
road,  which  is  out  of  scope  for  other  approaches. 

Future  work  includes  modular  concurrency  in  distributed  hybrid  systems,  which  is  already 
challenging  in  discrete  programs. 
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A  Proofs  for  Distributed  Car  Control 


In  this  section  we  prove  collision  freedom  of  the  simple  and  the  advanced  distributed  car  control  system 
from  Section  8.  First  we  introduce  derived  proof  rules  to  obtain  shorter  derivations.  For  short  notation, 
we  abbreviate  E(i)  =  1  by  the  predicate  E(i),  and  abbreviate  E(i)  =  0  by  — >E (z) .  Likewise,  we  write 
E(i)  :=  1  as  E(i)  :=  T  where  T  is  the  formula  “true”. 

A.l  Derived  Proof  Rules 

Figure  3  shows  derived  rules  for  concise  reasoning  in  common  cases.  Rule  new  axiomatizes  object  cre¬ 
ation  as  a  simple  consequence  of  the  definition  of  new  C  (Section  5).  It  chooses  any  n  that  did  not  exist 
before  (->E(n))  and  adjusts  existence  (E(n)  :=  T).  Object  creation  gets  propagated  to  actualist  quanti¬ 
fiers  Vi :  C\  ,  3i :  C\  ranging  over  all  created  objects,  or  quantified  assignments  /  differential  equations 
for  all  created  objects  by  is\/,is3,isA. 

Derived  rules  is\/,is3,isA  characterize  the  effect  of  creating  objects  of  type  C  on  actualist  quantifiers 
over  type  C\  (for  z/V,z/3)  or  on  actualist  quantified  assignments  over  C\  {is  A).  They  commute  object 
creation  with  quantification,  retaining  the  effect  on  the  new  object  explicitly.  Rule  isW  states  that  the  new 
object  denoted  by  n — which  may  not  have  been  created  before — needs  to  satisfy  o{n)  too  in  order  for 
Vi :  C\  (bit)  to  hold  after  E (n)  :=  T  ensures  n  is  created.  Dually,  is3  states  that  created  object  n  is  an 
alternative  choice  for  i,  in  addition  to  the  previous  domain  of  C\. 

Similarly,  rule  is  A  states  that,  after  creating  an  object  of  type  C,  this  created  object  will  be  affected 
by  actualist  quantified  assignments  ranging  over  C\ ,  so  that  commuting  has  to  take  care  of  the  effect  on 
the  new  object  explicitly.  For  this  common  situation  where  n  is  adjoined  to  the  range  of  quantification 
(n  might  even  have  been  in  the  range  before,  so  the  union  is  not  always  disjoint),  we  use  the  following 
mnemonic  abbreviation  in  the  premiss  of  is  A: 

Vi:C\U{n}  f(s )  :=6 

=  Vi :  C  f(s )  :=  if  i  =  n  V  E(i)  then  6  else  f(s)  fi 


,  4E(«)  :=  TMrO  A  Vi :  C\  <E(ii)  :=  T^(i) 

(!/V) - lE(n):=^W:CI«0 -  {VA) 

,  ^  (E(n)  :=  T ])0(n)  V  3 t:C\  (E(n)  :=  T)^(.)  ]  ,  , 

(z/3) - - rtT  n\  -  (new) 

(E(n)  :=T)3i:C!  <j>(i) 


(Vi:C!U{n}/(s):=0ME(n):=T}01 

P(n):=T 

Mn  :  C  (-iE(n)  -)•  (E(n):=T}0) 

{n  :=  new  C}(p 


'n  is  of  type  C 

Figure  3:  Derived  proof  rules  for  object  creation  in  quantified  differential  dynamic  logic. 


Proposition  1  The  proof  rules  in  Fig.  3  are  derived  rules. 
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Proof:  In  order  to  prove  Proposition  1,  we  show  that  the  respective  proof  rules  in  Fig.  3  can  be  derived 
from  the  proof  rules  in  Fig.  2  with  standard  propositional  and  first-order  reasoning.  Rule  z/V  is  a  derived 
rule: 

(E(n)  :=  T])0(n)  A  V* :  Cl  (E(n)  :=  T 

(E(n)  .=  T])0(n)  A  Vi:C  (Eg)  ->  (E(n)  :=  T^(Q) _ 

Vi :  (7  ((i  =  TW  (E(n)  :=  T])0(i))  A  g  g  n  -A  (Eg)  ->•  ([E  (n)  :=  T}^(i)))) 

Vi: (7  (if z  =  nthenT else E(z) fi  — »  (E(n)  :=T])0(i)) 

[:=],<:=>  Vi :  C  pj  :=  T)E(i)  -A  (E(n)  :=  T])^)) 
skip’skip  (E(n)  :=  T])Vi :  C  (E(i)  — >■  0(i)) 

(E(n):=T ]>Vi :  C!  0(i) 

This  proof  uses  simple  boolean  reasoning  (formally:  cut )  to  substitute  in  i  —  n  in  the  left  conjunct  and 
remove  i  ^  n  on  the  right  conjunct  (i  =  n  can  be  covered  in  both  conjuncts). 

Rule  u3  is  a  derived  rule  with  a  similar  proof: 

(E(n)  :=  T])0(n)  V  3* :  C\  (E(n)  :=  T^(i) 

(E(n)  :=  T])0(n)  V  3i :  C  (E (i)  A  (E(n)  :=  T^(i)) 

3i :  C  ((i  =  n  A  (E(n)  :=  T])0(i))  V  (ifnA  E(i)  A  (E(n)  :=  T])0(i))) 

3i :  C  ((i  =  n  -A  (E(n)  :=  T])0(i))  A  (i  g  n  -A  Eg)  A  (E(n)  :  =  TgggJ 
3i:(7  (if  i  =  nthenT  else  E(i)  fi  A  (E(n)  :=T])0(i)) 

[:=],<:=>  :  C  ((E(n)  :=  T)E(i)  A  (E(n)  :=  T])0(z)) 

skip'skip  (E(n)  :=  T])3i :  C  (E(i)  A  0(i)) 

(E(?i)  :=  T])3i :  Cl  </>(i) 

Assuming  E()  does  not  occur  in  the  assignment  f(s)  :=  6,  the  rule  vA  is  a  derived  proof  rule: 

(Vi :  (7!U{n}  f(s):=6UE(n)  :=  _ 

(Vi :  C  f(s)  if  i  =  n  V  E(i)  then  6  else  f(s)  fi])(E(n)  :=  T])0 
(Vi:  C  f(s)  :=  if  (if  i  =  nthenT  else  E(i)fi)  then  6  else /(sj  fi])(E(n) 

[:=]•<:=>  (E(n)  :=Tj)(Vi:C  f(s) if  E(i)  then  9  else  f(s) 

(E(n)  :=  T])(Vi :  Cl  f(s)  :=  $]}</> 

If,  instead,  E()  does  occur  in  f(s)  :=  9,  then  there  is  a  similar  derived  rule  where  s  and  6  are  affected 
accordingly.  Rule  new  is  a  derived  rule  by  the  definition  of  new  C  as  a  QHP  from  Section  5,  using  ex  to 
show  existence  of  an  n  for  (n  :=  new  (7)0.  □ 

A.2  Proofs  for  Simple  Distributed  Car  Control 

In  the  QdC  calculus,  we  prove  collision  freedom  for  the  simpler  distributed  car  control  system,  i.e., 

QdC  formula  (5)  from  Section  8,  even  in  the  presence  of  dynamic  appearance  of  new  cars  on  the  road. 

The  proof  is  shown  in  Fig.  4.  It  uses  induction  rule  ind  with  invariant  Vi,  j  :  Cl  A4(i,j).  We  recall  the 
following  abbreviations: 

A i(i,j)  =  i  ^  j  — >•  ((x(i)  <  x(j)  A  v(i)  <  v(j)  A  a{i )  <  a(j))  V  (x(i)  >  x(j)  A  v(i)  >  v(j)  A  a(i )  > 
Vi :  Cl  (. x(i )"  =  a(i ))  =  Vi :  Cl  (x(i)'  =  v(i),v(i)'  =  a(i)) 
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We  use  the  notation  [a]0  as  synonymous  for  [a](f>  here  just  to  have  more  readable  bracket  grouping. 
Figure  4  does  not  show  the  branch  proving  that  the  invariant  Vi,  j  :  C\  A 4(i,j)  implies  the  postcondition 
Viy^j  :  C\  x(i)^x(j),  which  is  simple  to  show. 


i\r 

iV“ 

vr 


*  by  QE 

,  Aj  i^ri ,  t^O  y  St  At  i^ri 


,M(i,n),t>  0  — > StM(i,n ) 
. , . ,  Vi :  Cl  M  (i,  n),  t> 0  — > StM(i ,  n) 


i\r 

iV- 


*  by  QE 

Mitj,\/i :  Cl  Af(i,n),i>0  — > StA4ij 


vi; 


A j(i,  j),Vi :  Cl  M(i,n),t>0  -^StM(i,  j) 
Vi,  j  :  C!  M(i,j),Vi :  C!  M(i,n),t>0  ^StM(i,j) 


Vi,  j  :  C\  M(i,j),Vi :  Cl  M(i,  n),t> 0  ->StM( 

i,n)  A  StM(i,j) 

\/i,j  :  Cl  :  Cl  M{i ,  n),  i>0  — j[Vi :  C!U{n}  <St(i)](Af(i,  n)  A 

Wi,j  :  Cl  M(i,j),Vi  :  Cl  M(i,  n),  t>0  -A  [Vi :  C!U{n}  St(i)]Vi,  j  :  Cl  (M (i,  n)  A  M (i,  j)) 

\/i,j  :  Cl  :  Cl  M(i,  n),  t>0  — ►[Vi :  C!u{n}  <St(i)J(Vi :  Cl  n)  A  A4(n,  n)  A  Vi,  j  :  C!  At (i,  j)  A  Vj  :  C!  M(n,j )) 

Vi,  j  :  C!  At (i,  j),  Vi :  C!  M(i,n),t>0  -A [Vi :  C!u{n}  5t(i)][E(n)  :=  l]Vi,  j  :  C!  At (i,  j) 

Vi,j :  Cl  :  (7!  At(i,  n),  i>0  — j[E(n) 

=  1] [Vi :  (7!  <St(i)]Vi,  j  :  Cl 

Vi,  j  :  Cl  At  (i,  j),  Vi :  (7!  At (i,  n)  — j[E(n) 

=  l]vt>0  [Vi :  Cl  St(i)]Vi,  j  :  Cl  M(i,j) 

Vi,  j  :  Cl  n),  Vi :  Cl  — >[E(n) 

=  1]  [Vi :  C!  ( x(i )"  =  a(i))]Vi,  j  :Cl  M  (i,  j) 

Vi,  j  :  (7!  [E(n)  :=  l]Vi:<7!  M(i,n)  -^[E(n) 

=  l][Vi :  Cl  (x{i)"  =  a(i))]Vi,  j  :Cl  M  (i,  j) 

Vi,  j'.Cl  M (i,  j)  -A[E(n) 

=  1] (Vi :  (7!  At(i,  n)  -A  [Vi :  (7!  {x(i)"  =  a(i))]Vi,  j  :  (7!  At  (i,  j)) 

E(n)  =  0,  Vi,  j  :  (7!  At(i,  j)  — >[E(n) 

=  l][?Vi :  (7!  At (i,  n);  Vi :  (7!  ( x(i )"  =  a(i))]Vi,  j  :  Cl  At (i,  j) 

Vi,  j  :  C!  At(i,  j)  — >[n  :=  new  (7][?Vi :  (7!  At(i,  n);  Vi :  (7!  (x(i)"  =  a(i))]Vi,  j  :  (7!  M (i,  j) 

Vi,  j:<7!  M(i,j )  -j[n  := 

w  •  •  .  a  /</•  *\  ,  rr / _ _ 

new (7;  ?Vi :  Cl  M(i, n);  Vi :  (7!  (®(i)"  =  o(i))]Vi,  j :  (7!  At (i,  j) 

Vr 

vV 

vA 

Vr,-vr“ 

[']  " 
zA/,Alv 

m 

new 

[;] 

ind 


=  i  V  j  ->•  {(x(i)  <  x(j)  A  v(i)  <  v(j)  A  a(i)  <  a(j))  V  (x(i)  >  x{j)  A  v(i)  >  v(j)  A  a(i)  >  a(j))) 

Mij  =  if  i  =  j  then  i^i->  ((x,  <x,av,<  Vj  a  a;  <  a4)  v  (x,  >  x,  A  Vj  >  Vj  A  a,  >  a  Q) 

else  i  ^  j  -a  ((Xj  <  Xj  a  Vj  <  Vj  a  a;  <  Aj)  v  (x*  >  Xj  av,>  Vj  aa,>  Aj))  fi 

=  i  V  j  -A  ((Xj  <  Xj  A  V,;  <  Vj  A  Aj  <  Aj)  V  (Xj  >  Xj  A  Vj  >  Vj  A  Aj  >  Aj)) 

St(i)  =  x(i)  :=  x(i)  +  v(i)t  +  yyi2  A  v(i)  :=  v(i)  +  a(i)t 

StM(i,j)  =  ->•  ((a;(i)  +  v(i)i  +  <  a;(j)  +  w(j)i  +  A  v(i)  +  a(i)i  <  v(j)  +  a(j)i  Aa(i)  <  a(j)) 

V  (x(i)  +  u(i)i  +  ^i2  >  x(j)  +  v(j)i  +  yy  i2  A  v(i)  +  a(i)t  >  u(j)  +  a(j)t  A  a(i)  >  a(j))) 

A  a  • 

StAii.j  =  i  V  J  — ►  ((Xj  +  Vji  +  — i2  <  Xj  +  Vji  H — y t 2  A  Vj  +  Ajf  <  Vj  +  Ajt  A  Aj  <  Aj) 

A  A  • 

V  (Xj  +  Vjt  +  -^-t2  >  Xj  +  Vji  +  ^-i2  A  Vj  +  Aji  >  Vj  +  A jt  A  Aj  >  Aj)) 


Figure  4:  Qd£  proof  for  collision  freedom  in  distributed  car  control. 


DCCS  Verification  To  save  space  in  the  car  proof,  we  directly  apply  proof  rules  Vr,— ir  after  the  new 
rule  in  Fig.  4.  Furthermore,  the  top-most  z/V  rule  application  in  Fig.  4  and  its  subsequent  simplification 
step 

(A i(n,  n )  A  Vi :  C\  M{i ,  n )  A  Vj  :  C\  M{n,j )  A  Vi,  j  :  C!  A4(i,  j)) 

"v[E(n):=  l]Vi,j:C!Aj(i,j) 
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is  justified  by 


(M(n,  n)  A  Vi :  C\  M(i ,  n)  A  Vj  :  C\  M(n,j )  A  Vi,  j  :  C\  M(i,j )) 
M(n,n)AVj:C\M(n,j)  A  Vi :  C\  (M(i,n)  A  V j  :  Cl  M(i,  j)) 

[E(n):=l]Wj:C\  M(n,j)  A  Vi :  C!  [E(n)  :=l]Vj  :C\  M(i,j) 

"v  [E(n)  :=  1] Vi :  C\  Vj  :  Cl  Af(i,  j) 

There,  A 4(n,  n)  simplifies  to  true,  because  it  assumes  n  ^  n.  Likewise,  Vj  :  Cl  is  subsumed 

by  Vi :  Cl  M. (i,  n),  because  A is  equivalent  to  A i(j,  i). 

A.3  Proofs  for  Advanced  Distributed  Car  Control  with  Acceleration 

In  this  section,  we  show  a  formal  Qd£  proof  of  the  QdC  formula  (6)  for  the  advanced  distributed  car 
control  system.  See  Fig.  5  on  page  21  for  a  proof  of  distributed  car  control  in  the  presence  of  free 
acceleration  and  braking,  regulated  only  by  the  safety  distances  to  other  cars.  The  proof  uses  induction 
rule  ind  with  invariant  Vi,  j  :C\  J4 (i,  j).  We  use  the  notation  [a] o  as  synonymous  for  [a\<fi  here  just  to 
have  more  readable  bracket  grouping. 

The  major  difference  of  the  distributed  car  dynamics  considered  on  page  21  compared  to  Fig.  4  is  that 
the  operation  Vi :  Cl  A(i)  adjusts  the  respective  accelerations  a(i)  of  all  cars  i  differently  depending  on 
the  distance  to  other  cars.  In  particular,  the  cars  do  no  longer  have  monotonically  increasing  velocities 
and  accelerations.  For  each  car  i,  however,  maximum  acceleration  a(i)  :=  a  is  only  permitted  when 
the  safety  distance  is  big  enough,  otherwise  the  car  brakes  by  a(i)  :=  — b  (for  maximum  acceleration 
constant  a  >  0  and  maximum  braking  force  b  >  0). 

The  safety  condition  in  A(i)  for  an  acceleration  choice  of  car  i  is  that  for  cars  j  further  down  the 
road  (greater  positions  x(j)  >  x(i)),  the  distance  x(j)  —  x(i)  must  be  large  enough  so  that  car  i  can 
safely  accelerate  for  up  to  e  time  units  and  still  keep  the  safety  distance  to  j  in  the  future  by  appropriate 
braking,  in  spite  of  the  increased  velocity.  This  safety  distance  depends  on  the  respective  velocities 
v(i)  and  v(j)  as  well  as  a,b,£.  Parameter  £  is  the  maximum  reaction  time  for  reacting  to  situation 
changes,  which  results  from  sensor  polling  frequencies,  worst-case  computation  times,  and  latencies  in 
actuator  activation.  Every  control  cycle  is  restricted  to  take  at  most  £  time  units  by  the  evolution  domain 
restriction  r  <  e  in  the  definition  of  the  continuous  dynamics  that  we  abbreviate  by  Vi :  C\  (. x(i )"  =  a(i )) 
as  defined  on  page  21.  The  definition  of  the  compatibility  condition  A i(i,j)  is  adapted  correspondingly 
to  take  into  account  that  the  cars  may  move  with  completely  different  accelerations,  if  only  the  safety 
distances  are  compatible  with  the  different  velocities: 

M (i,  j)  =  i  ^  j  — >  ((x(i)  <  x(j)  A  v(i)2  <  v{j )2  +  2 b(x(j)  —  x(i))  A  v(i)  >  0  A  v(j)  >  0) 

V  (x(i)  >  x(j)  A  v(j)2  <  v(i)2  +  2 b(x(i)  —  x(j))  A  v(i )  >  0  A  v(j)  >  0)) 

In  fact,  any  acceleration  between  —b  and  a  could  also  be  chosen  safely  in  the  acceleration  case  of  A(i), 
which  only  makes  the  proof  slightly  more  complicated. 

A.4  Existence  and  Uniqueness 

Existence/uniqueness  of  solutions  by  Picard-Lindelof  /  Cauchy-Lipschitz  theorem  [24,  Theorem  10.  VI] 
and  by  Peano  theorem  [24,  Theorem  10.IX]  carry  over  to  case  2  of  the  the  semantics  p(a)  in  Section  4 
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iV“ 


iV“ 

vr 


*  by  QE 


>  M-i,n  ,  -+AStMi,n 
,M(i,  n),  f> 0  — >AStM(i,  n) 
Vi :  (7!  At  (i,  n),t> 0  ->AStM(i,  n) 


iV— 


*  by  QE 


iV— 

Vli 


At  i.j  , ,  t  ^  0  — )■  f  At  y 


Ai(i,j),,f>o->AStAi(i,,7) 
Vi,  j  :(7!  Af(i,  j),  ,f>0  ->• AStM(i,j ) 


Vi,  J  :  C 

M(i,j),Vi:C 

0  -*AStM(i,n)  A  AStM(i,j) 

Vi,  j  :  C 

M(i,j),Vi :  C 

M(i,  n),t> 0  — >•  [Vi :  C'!u{?z}  Vt(i)]|Vi :  C!u{n}  <St(i)](A/f  (i,  n)  A  M (i,  j)) 

Vi,  J  :  C 

M(i,j),Vi:C 

M(i,  n),t> 0  — >•  [Vi :  C'!u{?z}  Vl(i)][Vi :  C!u{n}  <St(i)]Vi,  j  :  C!  {M. (i,  n)  A 

Vi,  j  :  C 

M(i,j),Vi :  C 

M(i,  n),i> 0  — t-  [Vi :  ClU-fn}  Vt(i)][Vi  :  C!U{n}  <St(i)](Vi :  C!  Af  (i,  n)  A  Vi,  j  :  C!  At(i,  j)) 

Vi,  j :  C 

M(i,j),Vi:C 

At(i,  n),i> 0  — >•  |Vz :  C'!U{?z}  A(i)][Vi  :  C!U{n}  5f(i)][E(?i)  :=  l]Vi,  j  :  C\ 

Vi,j--C 

M(i,j),Vi :  C 

Af(i,  n),f>0  — > [Vi :  C\A{n}  A(i)][E(n) 

=  l][Vi :  C!  St(i)]Vi,j  :  C!  M(i,j) 

Vi,  j  :C\  M(i,j),Vi:C\  M(i,n)  — »[Vi :  ClUl?!}  Vl(i)][E(n) 

=  1] vt>0  [Vi :  (7!  St (i)]Vi,  j:C\M(i,j) 

Vi,  j  :  C\  M (i,  j), ,  Vi :  C!  M(i,n)  — ►[Vi :  C,!u{?z}  Vl(i)][E(n) 

=  1] [Vi :  (7!  (x(i)"  =  a(i))f/i,j :  C\ 

Vi,  j  :  C!  Af  (i,  j),  ,Vi:C!M  (i,  n)  -v  [E(n) 

=  l](Vi :  C\  A(i))[Vi :  C!  (x(i)"  =  a(i))]Vi,  j  :  C! 

Vi,j:C\M (i,  j),  ,Vi:ClM (i,  n)  -v [E(n) 

=  1] [Vi :  C\  A(i) ;  Vi :  Cl  ( x(i )"  =  a(i))jVi,  j  :C\M(i,j) 

Vi,  j  :  C!  [E(n)  :=  l]Vi :  C!  M(i,  n)  -v[E(n) 

=  1]  [Vi :  C\  A(i) ;  Vi :  C\  (; x(i )"  =  a(i))]Vi,  j  :C\M(i,j) 

=  1] (Vi :  C\  At  (i,  n)  — >■  [Vi :  (7!  Vl(i);  Vi :  C\  ( x(i )"  =  a(i))]Vi,  j  :  C\ 

E(n)  =0,  Vi,  j :  C1!  — >[E(n) 

=  1] [?Vi :  <7!  At(i,  n);  Vi :  (7!  A(i);  Vi :  (7!  (^(i)"  =  a(i))]Vi,  j  :  (7! 

Vi,  j  :  G\  M. (i,  j)  — >[n  :=  new  C][?Vi :  C\  M. (i,  n);  Vi :  C!  «4(i);  Vi :  (7!  (x(i)"  =  o(i))]Vi,  j  :  C\  M(i,j ) 

Vi,j  :  C!  M(i,j)  -v[ n  :=  new  C\  ?Vi  :C!  M(i,n);Vi:C!  A(i);Vi :  C\  (x(i)"  =  a(i))]Vi,  j  :  C!  Af  (i,  j) 

Vi,  j  :  C\  M(i,j )  — 5-[(?z  :=  new C;  ?Vi :  C\  M(i,n);\/i :  C\  A(i);Vi  :  C\  (; x(i )"  =  a(i)))*]Vi^j  :  C!  x(i)^x{j) 

Vr 

u\/ 

uA 

Vr,— >-r— 

['] 

iM 

[;] 

— >-r 

m 

new 

[;] 

ind 


Vi :  <7!  (x(i)"  =  a(i))  =  r  :=  0;  Vi :  (7!  ( x(i )'  =  w(i) ,  v(i)'  =  a(i),  t'  =  1  &  z;(i)  >  0  A  r  <  e) 

A(i)  =  a{i)  :=  if  Vj  :  C  >  x(i )  -A  x(j)  >  x{i)  +  ^  — b  +  l)  +  £U(i))^  then  a  else  — 6fi 

M(i,j)  =  i^j  ->  ((a:(i)  <  Ai)  A  "f(i)2  <  t>(j)2  +  2b(x(j)  —  x[i))  A  v(i),  v(j)  >  0) 

V  (x(i)  >  x(j)  A  v(j)2  <  v(i)2  +  2 b(x(i)  -  x(j))  A  v(i),v(j)  >  0)) 

Mij  =  if  i  =  j  then  i  ^  i  ->■  ((x,  <X,AV^<  v?  +  26(Xi  -  xQ  A  v*,  Vi  >  0)  V  (x4  >  x,  A  v2  <  v2  +  26(x,  -  X*)  A  vi;  Vi  >  0)) 
else  i  ^  j  ->■  ((x.j  <  Xj  A  v2  <  v2  +  26(xi  -  xt)  a  v,,  >  0)  V  (Xi  >  Xj  A  v2  <  v2  +  26(x,;  -  Xj)  A  Vj,  v_,-  >  0))  fi 

=  i  ^  j  ->•  ((x,;  <  Xj  A  v2  <  v2  +  2b(Xj  -  x^  A  Vi,  v,-  >  0)  V  (x*  >  x_,-  A  v2  <  v2  +  2&(x.j  -  Xj)  A  Vi,  Vj  >  0)) 

<St(i)  =  x(i)  :=  x(i)  +  v(i)t  +  — f^-t2  A  i>(i)  :=  v(i)  +  a(i)t 
AStA4(i,j)  =  is  defined  as  follows 


i  ¥=  3  ->  (if  Vj  :  C!  ^x(j)  >  x(i)  ->  *0)  >  ^(*)  H - — — +  1^  ^-e2  +  «>(*))  ^  j  then 

if  Vi:C!  ^Z(i)  >  ttfa)  ->  x(i)  >  x<J)  +  1,0)2  ~  V(i)2  +  (^  +  l)  (°2e2  +  ev<-rt)))  then 

( x(i )  +  v(i)t  H £2  <  x(j)  +  v(j)t  -\ - £2  A  v(i )  +  atv(i)2  <  v(j)  +  atv(j )2  +  2 b(x(j)  +  v(j)t  -\ - 12  —  x(i)  +  u(i)t  +  —  t2)  A  v(i )  +  atv(i ),  v(j)  +  atv(j)  >  0) 

2  2  2  2 

V  ( x(i )  +  v(i)t  -\ - 12  >  x(j )  +  v(j)t  -\ - 12  A  v(j)  +  atv(j)2  <  v(i )  +  atv(i )2  +  2b(a;(i)  +  v(i)t  -\ - 12  —  x(j )  +  v(j)t  -\ - 1 2)  A  -u(i)  +  v(j)  +  atv(j)  >  0))  OlSG 

2  2  2  2 

( x(i )  +  v(i)t  +  —t2  <  x(j)  +  v(j)t  +  £ 2  A  t)(i)  +  a£v(i)2  <  v(j)  -\ - btv(j)2  +  2b(x(j)  +  v(j)t  +  —^—t2  —  x(i)  +  v(i)t  +  — £2)  A  v(i )  +  atv(i),  v(j)  -\ - btv(j)  >  0) 

V  ( x(i )  +  v(i)t  -\ - £2  >  x(j)  +  v(j)t  +  £2  A  v(j)  H - btv(j)2  <  v(i)  +  atv(i)2  +  2 b(x(i)  +  v(i)t  +  — £2  —  x(j)  +  v(j)t  +  - £2)  A  v(i)  +  atv(i),  v(j)  -\ - btv(j)  >  0))  fl  GlSG 

2  2  2  2 

if  vi : ci  ^x(i)  >  X(j)  -»■  xd)  >  xU)  +  vU)2  ~ v(i)2  +  +  1)  (V  +  «0))))  then 

( x(i )  +  v(i)t  -\ - £2  <  x(j)  +  v(j)t  +  —  £2  A  v(i)  -\ - btv(i)2  <  v(j)  +  atv(j)2  +2 b(x(j)  +  v(j)t  +  —  £2  —  cc(i)  +  v(i)t  -\ - A  t?(i)  H - btv(i),  v(j)  +  atv(j)  >  0) 

V  (x(i)  +  t)(i)£  +  — £2  >  a;(j)  +  v(j)t  +  —  £2  A  v(j )  +  atv(j)2  <  v(i)  +  atv(i)2  +  2 b(x(i)  +  v(i)t  +  — £2  —  x(j)  +  v(j)t  +  ^  v (^)  +  a£v(i),  v(j)  +  atv(j)  >  0))  else 

(cc(i)  +  v(i)t  H - £2  <  cc(j')  +  v(j)t  H - £2  A  v(i )  H - btv(i )2  <  v(j)  H - btv(j)2  +  2b(x(j)  +  v(j)t  -\ - £2  —  x(i)  +  ?;(£)£  H - £2)  A  v(i )  -\ btv(i),  v(j )  H btv(j)  >  0) 

2  2  2  2 

V  ( x(i )  +  v(i)t  H - £2  >  x(j)  +  v(j)t  +  £2  A  v(j)  H - btv(j)2  <  v(i)  +  atv(i)2  +  2 b(x(i)  +  v(i)t  +  — £2  —  a:(j)  +  v(j)t  +  - £2)  A  v(i )  +  atv(i),  v(j)  -\ - btv(j)  >  0))  f  \  fl 

2  2  2  2 

ASt-M.i,j  =  similar  instance 

Figure  5:  Qd£  proof  for  collision  freedom  in  distributed  car  control  with  acceleration. 


if  it  only  affects  a  finite  subdomain  of  cr(C),  because  the  quantifier  then  corresponds  to  a  finite  set  of 
classical  differential  equations.  (The  number  of  differential  equations  may  still  change  dynamically  over 
time,  though,  so  that  the  quantified  differential  equation  system  cannot  be  replaced  with  an  unquanti¬ 
fied  differential  equation  system  in  the  QHP).  For  infinite  cr(C'),  the  theorems  carry  over  to  schematic 
Vi :  C  f(i)'  =  0  Ik  x,  which  give  an  (infinite)  set  of  disconnected  classical  differential  equations.  In  all 
these  cases,  Picard-Lindelof’s  theorem  implies  that  the  solution  is  unique,  when  terms  are  continuously 
differentiable  (on  the  open  domain  where  divisors  are  non-zero).  For  general  infinite-dimensional  differ¬ 
ential  equations  see  [3].  QdC  is  also  compatible  with  temporal  operators  that  refer  to  intermediate  states 
and  nonterminating  traces  [19]. 
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B  Soundness  and  Relative  Completeness  Proof 


In  this  section,  we  present  a  fully  constructive  proof  of  Theorem  1 .  First,  we  show  that  the  QdC  calculus 
is  a  sound  axiomatization  of  QdC  ([20]).  Second,  we  prove  that  the  QdC  calculus  is  a  complete  axioma- 
tization  relative  to  quantified  differential  equations:  every  valid  QdC  formula  can  be  derived  in  the  QdC 
calculus  from  elementary  properties  of  quantified  differential  equations  (remainder  of  [20]). 

In  addition  to  the  soundness  proof,  we  present  a  relative  completeness  proofs  for  QdC.  The  basic 
structure  follows  that  of  our  relative  completeness  proof  for  unquantified  differential  dynamic  logic  for 
fixed-dimensional  static  hybrid  systems  in  previous  work  [17].  Here  we  generalize  the  proof  to  QdC.  A 
fundamental  difference  to  previous  work  is  that  states  can  be  characterized  trivially  in  fixed-dimensional 
static  hybrid  systems,  but  it  is  not  obvious  why  a  finite  formula  would  be  sufficient  in  varying  dimen¬ 
sions.  In  (dynamic)  distributed  hybrid  systems,  we  have  to  prove  that  there  is  a  finite  formula  that  can 
characterize  and  identify  all  states  (see  [20]).  In  fixed-dimensional  static  hybrid  systems,  states  can  be 
characterized  and  identified  trivially  by  a  fixed  vector  of  real  numbers  for  each  system  variable.  In  QdC, 
instead,  states  are  full  first-order  structures  with  interpretations  of  functions  for  all  function  symbols  and 
the  ability  to  characterize  semantic  states  in  logic  is  no  longer  obvious.  States  are  no  longer  assignments 
of  real  numbers  to  a  finite  number  of  variables.  In  QdC,  states  are  first-order  interpretations  of  function 
symbols. 

As  a  basis  for  the  relative  completeness  proof,  we  define  FOQD  as  the  first-order  logic  of  quantified 
differential  equations ,  i.e.,  first-order  real  arithmetic  augmented  with  formulas  expressing  properties  of 
quantified  differential  equations,  that  is,  QdC  formulas  of  the  form  [Vi :  C  f(s)'  =  0  <sz  x]  F.  Dually, 
(Vi :  C  f(s)'  =  9  &  x)F  is  expressible  as  — >[Vi :  C  f(s}'  =  9  &  xl^F.  Now  the  relative  completeness 
direction  of  Theorem  1  corresponds  to  proving  that  for  every  valid  QdC  formula,  there  is  a  finite  set  of 
valid  FOQD-formulas  from  which  it  can  be  derived  in  the  QdC  calculus.  See  Section  7  for  a  road  map 
of  the  proof.  We  give  the  full  proof  below. 

Natural  numbers  are  definable  in  FOQD  by  a  simple  corollary  to  a  previous  result  [17,  Theorem  2]. 
Thus,  we  allow  quantifiers  over  natural  numbers  like  \/x  :  N  0  and  3x  :  N  c>  and  over  integers  Va: :  Z  0  as 
abbreviations. 

B.l  Soundness  Proof 

For  one  direction  of  the  proof  for  Theorem  1,  we  have  to  show  that  the  QdC  calculus  in  Fig.  2  is,  indeed, 
a  sound  axiomatization.  An  unsound  calculus  would  not  be  very  interesting,  and,  in  particular,  it  would 
not  be  sound  and  complete  relative  to  quantified  differential  equations. 

Theorem  2  (Soundness)  The  QdC  calculus  is  sound:  every  QdC  formula  that  can  be  proven  is  valid, 
i.e.,  true  in  all  states. 

Proof:  The  calculus  is  sound  if  each  rule  instance  is  sound.  Some  of  the  rules  of  the  QdC  calculus  are 
even  locally  sound,  i.e.,  their  conclusion  is  true  at  state  a  if  all  its  premisses  are  true  in  a,  which  implies 
soundness.  The  proofs  for  the  propositional  rules,  and  regular  rules  [;],(;), [U],(U), [?],(?)  are  as  usual.  We 
refer  to  previous  work  [17]  for  the  soundness  proofs  for  3r,Vl,Vr,31,i3,  which  are  slightly  more  involved. 
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iV  iV  is  locally  sound.  Assume  the  premiss 

a  |=  QE(VX,  Y  (if  s  =  Tthen  4>0A)^0A)  else  4>0A)-^(Y')  fi)) 

Since  QE  yields  an  equivalence,  we  can  conclude 

er  |=  MX,  Y  (if  s  =  men  <!>(X)^(X)  else  $(X)^(Y)i\) 

This  is  equivalent  to  er  \=  if  s  =  fthenVA'  (<f>(A0  — »\l/( A"))  elseVX,  Y'  (<h(A")->T'(E))  fi,  because 
fresh  variables  X,  Y  do  not  occur  in  s  or  t.  Then  assume  the  antecedent  of  the  conclusion  is  true, 
i.e.,  er  |=  <f>(/(s)).  We  conclude  that  the  succedent  of  the  conclusion  is  true,  er  |=  40/(0),  by 
choosing  er[/(s)]  for  A"  and  er[/(0]  for  Y  in  the  premiss.  If  er  |=  -i (s  =  t)  then  er  \—  40/(0)  fol¬ 
lows  directly  from  the  premiss.  If,  otherwise,  a  \=  s  =  t,  then  er  |=  40/(0)  also  follows,  because 
the  choice  cr  [/(./)]  for  X  is  identical  to  the  choice  er[/(0]  for  Y  in  the  premiss.  By  admissibility 
of  substitutions,  any  variables  occurring  in  terms  s  and  t  are  free  at  all  occurrences  of  f(s)  and 
/(0,  hence  their  value  is  the  same  in  all  occurrences. 

(:=)  Rule  (:=)  is  locally  sound  for  injective  Vi :  C  f(s)  :=  9,  which  we  abbreviate  as  A.  Injective  A 
give  a  deterministic  transition.  Assume  the  premiss 

er  |=  if  3i :  C  s  =  (A)u then  3 i:C  (s  =  (A)u  A  4>(0))  else <p{f{{A)u))  fi 

We  have  to  show  that  a  |=  0((Vi :  C  f(s )  :=  6)f(u)).  First  assume  that,  with  a  fresh  variable  z, 
4>(z)  is  a  first-order  formula  without  modalities  or  quantifiers.  Let  r  be  the  (unique)  state  with 
(cr,  r)  G  p(Vi :  C  f(s )  :=  6)  =  p(A).  By  renaming,  we  can  assume  the  quantified  variable  i  not  to 
occur  anywhere  else  than  in  A.  We  write  this  occurrence  constraint  as  i  0  u  and  i  0  (p(z). 

-  Suppose  a  \=  3i  :  C  s  =  (A)u,  then  a  |=  3i  :  C  (s  =  ( A)u  A  4>(0))  by  premiss.  That  is  equiv¬ 
alent  to:  there  is  an  e  G  a(C )  with  erf  f=  s  =  (A)u  A  4>(6).  That  means  erf^  |=  4>(z)  for 
d  :=  erf  [0]  by  the  substitution  lemma.  This  is  equivalent  to  erf  |=  4>(z),  because  i  0  4>{z),  i.e., 
i  does  not  occur  in  4>(z),  so  that  its  value  is  irrelevant.  We  want  to  show  that  erf  |=  0(z)  also 
holds  for  d  =  er [04) /(«)],  because  this  implies  er  |=  cj)((A)f(u))  by  the  substitution  lemma. 
Now 

al(A)f(u)]  =  t[/(m)]  =  t(/)(t[m])  =  r(f)(al(A)ul)  =  r(/)(erf[s])  '=4)  erf[0]  =  d 

Thuser  |=  0(04) / (u)) .  The  equality  marked  *  holds,  because  the  premiss  implies  erf  |=  s  =  ( A)u , 
which  yields 

<Ae PI  =  <?tl(A)ul  =“  (t{{A)uI 

-  Suppose  er  |=  Si  :C  s  =  ( A)u ,  then  er  |=  <j>(f({A)u))  by  premiss.  Thus 

i=  <k*) 

for  d  :=  cr[/(04),u)]  by  the  substitution  lemma.  We  want  to  show  that  erf  |=  0(^)  also  holds 
for  d  =  er[ 04) /(«)],  because  this  implies  er  0  0((A)  f(u))  by  the  substitution  lemma.  Now 

crl(A)f(u)]  =  r[f{u)  ]  =  t(/)(t[m])  =  <r(/)(r[w])  =  <7(f)(a{(A)u])  =  a\f((A)u)j  =  d 
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The  equality  marked  *  holds,  because — by  assumption  a  f=  -Bi :  C  s  =  ( A)u — we  know  that 
for  position  t[m]  =  er[(./l)tt]  there  is  no  e  G  a (C)  such  that 

of  PI  =  rfuj  =  a\{A)u\  '=  oeil{A)u\ 

Thus  A  has  no  effect  on  the  interpretation  of  /  at  position  t[m]  and  a  and  r  agree  at  that 
position. 

In  both  cases,  equivalence  of  premiss  and  conclusion  can  be  established  by  following  the  equations 
and  equivalences  backwards,  which  also  gives  a  proof  for  the  dual  rule  [:=].  For  the  case  where 
0(z)  contains  modalities  or  quantifiers,  the  proof  is  accordingly  using  the  substitution  lemma  and 
the  fact  that  the  interpretation  of  the  symbols  occurring  in  (A)  f(u)  is  not  affected  by  the  modalities 
and  quantifiers  in  <p(z)  (since  all  substitutions  need  to  be  admissible  for  QcLC  rules  to  be  applicable). 

skip  Local  soundness  of  rule  skip  for  injective  quantified  assignments  Vi :  C  f(s )  :=  9  is  a  simple  conse¬ 
quence  of  the  fact  that  a  quantified  assignment  to  /  cannot  affect  the  evaluation  of  another  operator 
T  ^  /,  but  only  its  arguments  (assuming  admissible  substitutions). 

ex  The  soundness  of  axiom  ex  (i.e.,  validity  of  the  conclusion)  is  a  simple  consequence  of  the  fact 
that  we  have  assumed  finite  support  for  the  createdness  flag  E(-)  and  that  domains  are  infinite. 
That  is,  there  are  only  finitely  many  e  G  cr(C')  with  erf  \—  E(i)  =  1,  while  domain  cr(C)  is  infi¬ 
nite.  Consequently,  in  every  state  a,  there  always  is  a  choice  e  for  i  that  has  not  been  created  yet 

(af  |=  E(i)  ^  1). 

(')  Rule  (')  is  locally  sound.  Let  yz(t)  be  simultaneous  solutions  for  the  respective  differential  equa¬ 
tions  with  symbolic  initial  values  /(.?).  Let  (Vi :  C  S{t ))  denote  the  quantified  assignment 

(Vi  :C  f(s)  :=Vs(t)) 

Assume  a  satisfies  the  premiss:  a  \—  3t>0  (x  A  (Vi :  C  5(f))0),  with  VO <t<t  (Vi  :CS(t))x  ab¬ 
breviated  as  V-  By  premiss,  there  is  a  real  value  r  >  0  such  that  a]'  |=  A  (Vi :  C  S(t)')0.  Abbrevi¬ 
ate  Vi :  C  f(s)'  =  9  &  x  by  2V  We  have  to  show  that  a  \—  (V)(j).  Equivalently,  we  show  art  (=  (' V)q ), 
because  t  is  a  fresh  variable  that  does  not  occur  in  V  or  0.  Let  function  p  :  [0,  r]  — >■  S  be  defined 
such  that  (<T,p(())  G  p{S(t ))  for  all  (  G  [0, r].  By  premiss,  93(0)  is  identical  to  a  and  0  holds 
at  p(r).  Thus  it  only  remains  to  be  shown  that  p  respects  the  constraints  for  the  flow  function  p  in 
the  definition  of  the  semantics  of  p{V)  in  Section  4.  In  fact,  p  obeys  the  continuity  and  differentia¬ 
bility  properties  required  for  well-definedness  of  time-derivatives  by  the  corresponding  properties 
of  the  solution  yg(t).  Moreover,  for  any  e  G  cr(C),  p(C)ilf(^)l  —  at has  a  derivative  of 
value  p(CTi  PI’  because  y$  is  a  solution  of  the  quantified  differential  equation  Vi :  C  f(s)'  =  9  with 
corresponding  initial  values  a(f(s)).  Further,  it  can  be  shown  that  the  evolution  invariant  region  x 
is  respected  along  p  as  follows:  By  premiss,  art  \=  x  holds  for  the  initial  state  cr[,  thus  p(Q  \=  x 
for  all  (  G  [0,  r].  Combining  these  results,  we  can  conclude  that  p  is  a  witness  for  a  |=  CD)0. 

The  converse  direction  can  be  shown  accordingly  to  prove  equivalence  and  the  dual  rule  [']  for 
quantified  differential  equations  with  unique  solutions  (see  [20]).  Without  unique  solutions,  the 
rule  is  a  little  more  complicated,  but  still  works:  all  parameters  of  all  parametric  solutions  will 
need  to  be  quantified  over  in  addition  to  time  t>0. 

[:*]  Rules  [:*],(:*)  are  locally  sound  by  a  simple  consequence  of  the  fact  that  arbitrary  nondeterministic 
assignment  of  9  for  any  j  of  type  C  to  n  is  the  same  as  corresponding  quantification  over  C.  The 
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semantics  of  [Vj  :  C  n  :=  6]  then  is  equivalent  to  universal  quantification,  that  of  (Vj  :C  n  :=9)  is 
equivalent  to  existential  quantification. 

Qgen  Rules  \\gen,()gen,ind,con  are  sound  (but  not  locally  sound)  by  a  variation  of  the  usual  proofs  [10]. 
For  Qgen,  let  premiss  0— yip  be  valid.  Let  the  antecedent  be  true  in  a  state:  a  |=  (a)0,  i.e., 
let  (a,  r)  G  p(a)  with  r  |=  0.  Hence,  the  premiss  implies  r  |=  0  — *  0,  thus  r  |=  0,  which  im¬ 
plies  <7  |=  (a) vj.  The  proof  for  [] gen  is  accordingly. 

ind  Let  premiss  0— » [a]0  be  valid  and  let  the  antecedent  of  the  conclusion  be  true  in  a,  that  is  a  |=  0.  By 
premiss,  r  \=  0  for  all  states  r  with  (a,  r)  G  p(a).  We  thus  conclude  a  |=  0  — >■  [a*]0  by  induction 
along  the  series  of  states  reached  from  a  by  repeating  a. 

con  Assume  the  antecedent  is  valid  and  the  premiss  holds  in  a.  By  premiss,  we  have 

r  |=  v  >  0  A  <p(v)  — y  ( a)(p(v  —  1) 

for  all  states  r.  By  antecedent,  there  is  a  d  G  M  such  that  ad  |=  (p(v).  Now,  the  proof  is  a  well- 
founded  induction  on  d.  If  d  <  0,  we  directly  have  a  |=  (a:*)3?.'<0  ip(v)  for  zero  repetitions.  Oth¬ 
erwise,  if  d  >  0,  we  have,  by  premiss,  that 

odv  |=  v  >  0  A  <p{v)  — y  ( a)(p(v  —  1) 

As  v  >  0  A  <p( v)  holds  true  at  ad,  we  have  for  some  r  with  (c0,  r)  G  p(a)  that  r  \=  ip(v  —  1).  Thus, 
rd~l  |=  <p( v)  satisfies  the  induction  hypothesis  for  a  smaller  d  and  a  reachable  r,  because  (a,  r)  G  p(a) 
as  v  does  not  occur  in  a.  The  induction  is  well-founded,  because  d  decreases  by  1  up  to  the  base 
case  d  <  0. 

□ 

B.2  Characterizing  Real  Godel  Encodings 

As  the  central  device  for  constructing  a  FOQD  formula  that  captures  the  effect  of  unboundedly  many 
repetitive  hybrid  transitions  and  just  uses  finitely  many  real  variables,  we  prove  that  a  real  version  of 
Godel  encoding  is  definable  in  FOQD.  That  is,  we  give  a  FOQD  formula  that  reversibly  packs  finite 
sequences  of  real  values  into  a  single  real  number. 

Observe  that  a  single  differential  equation  system  is  not  sufficient  for  defining  these  pairing  functions 
as  their  solutions  are  differentiable,  yet,  as  a  consequence  of  Morayne’s  theorem  [17,  reference  43], 
there  is  no  differentiable  surjection  M  — >  M2,  nor  to  any  part  of  M2  of  positive  measure.  We  show  that 
real  sequences  can  be  encoded  nevertheless  by  chaining  the  effects  of  solutions  of  multiple  differential 
equations  and  quantifiers. 

Lemma  1  (M-Godel  encoding)  The  formula  al(Z.  n,  j,  z ),  which  holds  iff  Z  is  a  real  number  that  repre¬ 
sents  a  Godel  encoding  of  a  sequence  of  n  real  numbers  with  reed  value  z  at  position  j  (for  a  position  j 
with  1  <  j  <  n),  is  definable  in  FOQD.  For  a  formula  0(z)  we  abbreviate  3z  (at (Z,  n,  j,  z)  A  Q(z)) 
by  0(Zy(,l)). 

Proof:  The  proof  is  an  immediate  corollary  to  a  result  from  previous  work  for  a  sublogic  of  Qd£  [17]. 

□ 
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B.3  First-order  State  Identification 


The  crucial  step  in  the  proof  of  Theorem  1  is  the  construction  of  QdC  (in)variants  that  are  strong  enough 
to  characterize  properties  of  repetition.  In  order  to  characterize  QHP  state  transitions  in  Qd£  (in)variants 
for  the  completeness  proof,  we  first  need  to  find  formulas  that  characterize/identify  states.  For  finite¬ 
dimensional  systems  of  a  fixed  dimension  n,  states  can  simply  be  characterized  completely  by  the  val¬ 
ues  of  all  n  real  state  variables.  A  particular  state  could  be  characterized  uniquely  by  the  formula 
x  =  2Ay  =  0.5Az  =  —0.382,  for  example.  As  a  trivial  corollary  to  Lemma  1,  states  can  then  even  be 
characterized  uniquely  by  one  real  number  when  using  the  M-Godcl  encoding.  For  infinite-dimensional 
systems,  systems  with  changing  dimension,  or  systems  with  a  dynamics  that  depends  on  evolving  in¬ 
terpretations  of  function  symbols  f(s),  the  situation  is  more  difficult.  After  all,  a  state  of  QdC  is  a  full 
first-order  structure  with  functions  as  interpretations  of  function  symbols,  and  these  interpretations  can 
change  from  state  to  state.  Furthermore,  in  order  to  navigate  among  states  during  the  completeness  proof, 
we  need  to  be  able  to  characterize  the  current  first-order  state,  but  also  to  recall  a  previously  identified 
first-order  state  and  express  what  holds  true  at  this  state. 

We  show  that  the  first-order  states  reachable  with  QHP  a  from  an  initial  state  can  be  characterized 
uniquely  by  real  numbers,  which  can  thus  be  quantified  over.  Furthermore,  we  show  that  this  corre¬ 
spondence  can  be  axiomatized  in  FOQD.  One  key  observation  is  that  the  first-order  interpretations  can 
change  from  state  to  state,  but  only  according  to  the  dynamics  of  the  QHP  Intuitively,  the  difference  of 
any  reachable  first-order  state  to  the  initial  state  can  be  characterized  by  a  finite  list  of  differences  to  the 
initial  state.  Clearly  this  difference  concerns  only  finitely  many  symbols  occurring  in  a.  It  also  concerns 
only  finitely  many  positions  of  their  interpreted  functions,  because  actualist  quantified  assignments  and 
actualist  quantified  differential  equations  only  change  the  interpretation  of  finitely  many  function  sym¬ 
bols  at  finitely  many  positions  (actual  quantified  domains  C\  occurring  in  actualist  quantifiers  of  QHPs 
are  finite).  Note  that  it  is  crucial  here  that  we  have  assumed  the  actual  existence  predicate  E(i)  to  have 
finite  support. 

Lemma  2  (State  identification)  Let  £5  be  a  finite  set  of  function  symbols  containing  E(-).  The  opera¬ 
tors  l  and  @ ,  which  identify  and  recall  states  reachable  by  QHPs,  are  definable  in  FOQD  such  that: 

1.  For  every  QHP  a  with  BV  (a)  C  £&,  every  variable  3  f  £/,  of  sort  M,  and  every  state  a,  the  formula 
1 3  is  true  in  at  most  one  of  the  states  reachable  by  a  from  a.  That  is,  there  is  at  most  one  state  1 
such  that  (cr,  l )  G  p(a )  and  t  |=  f3. 

2.  For  every  QHP  a  with  BV(a)  C  £,„  every  variable  3  f  £/,  of  sort  M,  every  formula  0,  and  every 
state  cr,  the  formula  @3  f  is  true  in  any  state  reachable  by  a  from  a  if  and  only  if  0  is  true  in  the 
( unique )  state  that  is  reachable  by  a  from  a  in  which  1 3  holds  ( provided  such  a  state  is  reachable 
at  all,  otherwise  the  truth-value  of  A3  0  is  arbitrary).  That  is,  suppose  there  is  a  state  1  such  that 
(cr,  i)  G  p(tt)  and  1  ■  \=  f3  (thus,  by  case  1,  1  is  unique  with  that  property).  Then  for  any  state  r 
with  (a,  t )  G  p(of),  it  is  the  case  that  r  |=  @  3  f  if  and  only  if  1  \=  f.  If,  on  the  contrary,  there  is  no 
state  1  with  (cr,  1)  G  p(a)  and  1  |=  1 3,  then  this  lemma  makes  no  statement  concerning  the  truth  of 
formula  @3  f  at  any  state  t. 

Proof:  The  formulas  f  3  and  @3  <p  are  like  the  here  and  at  operators  of  hybrid-nominal  logic.  They  can 
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be  characterized  by  the  following  FOQD  formulas: 

9  =  isf(3 ,  o)  =  if  3s :  N  {s  <  m  A  X(sm)  =  o)  then  3s :  N  (s  <  m  A  Xs(m)  =  o  A  9  =  10(m))  else  9  =  f(o)  fi 

where  3  is  split  into  the  following  abbreviations  m  :=  3\d>  X  :=  3{jd'>  Y  :=  3{d) 
further  d  is  the  number  of  symbols  in  E/,  and  i  is  the  index  of  /  in  E b 

1 3  =  Vo :  Sj  f(d)  =  isf(3,  6)  where  Sj  is  the  sort  of  the  arguments  of  / 

/eS;, 

@30  =  (Vi :  C  Vu  :  M  /(*)'  =  u)(0  A 03) 

For  defining  03  and  @3  0,  we  use  an  auxiliary  function  isf(3,  6)  to  improve  readability.  The  defini¬ 
tions  do  not  need  recursion,  so  that  we  can  consider  occurrences  of  the  defined  notations  as  syntactic 
abbreviations  for  quantified  variables  satisfying  the  respective  definitions  (like  for  Lemma  1). 

The  function  symbol  is f  (3,  o)  gives  the  value  ( 9 )  of  function  /  at  position  o  at  the  state  characterized 
by  the  real  number  denoted  by  3.  It  can  be  defined  easily  using  the  real  pairing  function  from  Lemma  1. 
The  basic  idea  is  to  understand  3  via  the  real  pairing  function  as  a  list  of  length  m  of  position/value 
pairs  (Xs(m)/Y'im)),  which  characterize  changes  to  the  value  /(o)  for  each  of  the  finitely  many  function 
symbols  /  G  Eb.  Using  an  arbitrary  but  fixed  ordering,  these  function  symbols  /  are  identified  with 
their  index  d  in  Eb.  The  most  important  insight  for  the  proof  is  that,  for  every  state  reachable  by  a 
from  a,  the  list  of  changes  of  /  compared  to  /(o)  at  a  is  always  finite  after  finitely  many  transitions  of 
quantified  state  change  with  finite  support  (see  end  of  Section  5).  Consequently,  the  list  of  changes  can 
always  be  encoded  by  one  (finite)  real  number  according  to  Lemma  1.  Using  this  auxiliary  function,  we 
characterize  cases  1  and  2: 

Case  1:  The  characterization  for  03  is  defined  as  a  conjunction  over  all  relevant  function  symbols 
/  G  Eb  asserting  that  the  value  /(o)  of  /  at  each  position  o  of  the  sort  S'/  of  /  is  identical  to  the 
corresponding  value  isf{3 ,  o)  characterized  by  3. 

Case  2:  The  characterization  for  @  3  0  uses  a  quantified  differential  equation  with  a  variable  u  that 
only  occurs  on  the  right  hand  side  and  thus  changes  /  at  all  positions  i  with  an  arbitrary  slope  u.  The 
@30  characterization  then  checks  if  the  appropriate  state  characterized  by  3  has  been  reached  using  0  3 
and  further  expresses  that  0  holds  at  this  state.  By  case  1,  we  know  that  03  holds  in  at  most  one  of  the 
states  reachable  by  a  from  a.  In  the  quantified  differential  equation  system  for  @3  0,  the  second  quan¬ 
tified  variable  u  amounts  to  nondeterministically  specifying  a  slope  u  for  each  f(t).  Unlike  i,  quantified 
variable  u  only  occurs  on  the  right  hand  side  of  the  quantified  differential  equation.  Consequently,  the 
semantics  (case  2  of  the  transition  relation  p(a)  defined  in  Section  4)  defines  the  states  corresponding  to 
all  choices  for  u  to  be  reachable.  These  respective  choices  for  u  include  the  choice  that  leads  to  the  state 
characterized  by  0  3,  e.g.,  by  choosing  slope  u  :=  isf(3 ,  i )  —  f(i )  for  each  i  and  evolving  for  1  time  unit. 

To  simplify  notation,  we  define  @30  only  for  Eb  =  {/}.  The  construction  is  repeated  accordingly  (by 
nesting  modalities)  for  each  /  G  Eb,  which  are  finitely  many.  The  createdness  flag  E(-)  needs  to  be  part 
of  Eft  for  object  creation  to  be  taken  care  of.  □ 

The  rest  of  the  proof  follows  similar  principles  to  those  in  [17].  The  full  proof  is  beyond  the  scope  of 
this  report. 
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